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Abstract 


This  dissertation  presents  solutions  for  the  application  of  partial  order  meth¬ 
ods  to  the  verification  of  timed  systems,  with  the  purpose  of  reducing  the 
size  of  the  explored  state  space. 

Timed  systems,  which  rely  on  timing  information  to  operate  correctly,  pose 
special  difficulties  for  automatic  verification.  Not  only  does  the  size  of  their 
state  space  grow  exponentially  with  the  number  of  components,  as  in  any 
concurrent  system,  but  some  of  the  history  of  past  transitions  becomes  part 
of  the  timed  state.  This  hinders  the  use  of  partial  order  reduction,  a  technique 
which  is  applicable  if  different  transition  interleavings  lead  to  the  same  state. 
We  have  given  a  partial  order  reduction  algorithm  for  systems  described  as 
networks  of  timed  automata,  which  preserves  formulas  in  a  timed  extension 
of  linear  temporal  logic.  The  algorithm  is  based  on  a  modified  local-time 
semantics,  which  allows  individual  automata  to  execute  independently  except 
for  synchronization  transitions. 

More  generally,  we  have  investigated  the  application  of  partial  order  reduc¬ 
tion  in  a  continuous-time  model  whose  semantics  is  defined  in  terms  of  timed 
traces.  We  show  how  to  separate  the  causal  dependence  of  transitions  from 
their  time  ordering  due  to  concurrency  and  how  this  leads  to  the  applica¬ 
tion  of  partial  order  reduction.  As  particular  instances  of  this  framework  we 
obtain  improved  algorithms  for  timed  event/level  structures  and  time  Petri 
nets,  as  well  as  our  algorithm  for  timed  automata. 

We  have  evaluated  the  performance  of  our  partial  order  reduction  approach 
on  several  timed  automata  benchmarks.  The  resulting  reduction  in  state 
space  stems  from  two  sources:  the  local-time  model  reduces  the  number  of 
generated  time  regions,  while  the  partial  order  techniques  applied  from  the 
domain  of  untimed  systems  reduce  the  explored  control  state  space. 
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Chapter  1 
Introduction 

1.1  Motivation 


A  significant  part  of  today’s  computer-related  systems  are  time-critical.  They 
may  rely  on  timing  information  to  operate  correctly,  or  their  specifications 
may  require  that  certain  actions  be  executed  within  given  time  limits.  Exam¬ 
ples  of  such  systems  are  timed  asynchronous  circuits,  network  or  communica¬ 
tion  protocols,  and  industrial  controllers.  Failure  to  satisfy  these  properties 
may  result  in  malfunction,  system  shutdown,  significant  financial  costs,  or 
even  risk  to  humans.  It  is  therefore  imperative  that  correctness  of  these 
applications  is  guaranteed  under  all  possible  circumstances. 

Moreover,  the  development  of  techniques  that  assist  this  correctness  goal 
can  stimulate  the  use  of  designs  that  offer  increased  efficiency,  but  whose 
behavior  is  more  difficult  to  analyze.  Such  is  the  case,  for  example,  with 
asynchronous  circuits  which  can  achieve  significant  performance  gains  while 
dispensing  with  some  of  the  limitations  of  designs  based  on  a  synchronous 
clock. 

At  the  same  time,  timed  systems  often  lack  in  robustness  (a  small  change 
in  timing  can  result  in  a  significant  change  in  behavior),  and  their  analysis 
can  be  very  complex,  since  they  have  a  large  family  of  possible  executions. 
The  latter  reason  makes  traditional  methods  such  as  testing  and  simulation 
even  less  likely  to  deliver  exhaustive  correctness  results  than  in  the  case  of 
untimed  systems.  In  fact,  with  a  dense  view  of  time,  the  family  of  behaviors 
for  a  timed  system  can  be  infinite. 
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Formal  verification  techniques  approach  the  correctness  problem  by  prov¬ 
ing  using  mathematical  formalisms  that  a  system  model  satisfies  its  specifi¬ 
cation  under  all  possible  circumstances.  Within  this  category,  model  check¬ 
ing  [CE81]  has  emerged  as  a  very  successful  technique,  with  the  benefit  that 
it  is  completely  automatic.  However,  its  application  to  even  larger  and  more 
complex  systems  is  limited  by  the  so-called  state  space  explosion  problem: 
for  many  types  of  systems,  the  number  of  possible  states  grows  exponentially 
with  the  number  of  component  parts.  This  quickly  leads  to  models  whose 
size  exceeds  the  current  capabilities  of  verification  tools.  For  real-time  sys¬ 
tems,  the  space  explosion  problem  is  even  more  limiting,  and  is  caused  by 
two  different  factors:  complexity  in  the  control  space  and  complexity  due  to 
the  timing  associated  with  the  system. 

To  illustrate  more  precisely  the  causes  of  state  space  explosion  in  the  case 
of  timed  systems,  consider  a  typical  state  exploration  algorithm.  A  complete 
state  space  search  has  to  consider  all  transitions  which  could  be  executed 
first  from  a  given  state,  in  order  to  generate  all  possible  interleavings.  In 
an  untimed  concurrent  system,  this  leads  to  a  number  of  interleavings  (and 
explored  states)  which  is  exponential  in  the  number  of  concurrent  compo¬ 
nents.  In  a  timed  system,  the  firing  times  of  transitions  become  part  of  the 
state  space,  since  the  future  behavior  of  the  system  typically  depends  on  the 
relationship  between  them.  This  has  two  consequences.  First,  more  informa¬ 
tion  is  usually  needed  to  describe  a  timed  state,  resulting  in  a  higher  amount 
of  memory  used.  Second,  two  transitions  leading  to  the  same  state  in  the 
underlying  untimed  control  structure  will  generally  lead  to  different  timed 
states,  since  the  ordering  of  transitions  is  incorporated  in  the  timed  space. 

Partial  order  reduction  (e.g.,  [God90,  Pel93,  Val90])  is  a  well-established 
method  to  reduce  the  complexity  of  state  space  exploration  in  systems  con¬ 
sisting  of  several  parallel  components.  It  explores  a  restricted  number  of 
interleavings  for  independent  concurrent  transitions,  while  preserving  the 
verified  property  in  the  reduced  model.  This  aspect  makes  it  a  very  good 
candidate  for  containing  the  state  space  explosion  in  timed  systems.  However, 
partial  order  reduction  considers  two  transition  interleavings  to  be  equivalent 
only  if  they  lead  to  the  same  state.  Thus,  for  timed  systems,  the  encoding  of 
transition  ordering  as  part  of  the  state,  besides  being  one  of  the  main  causes 
of  complexity  also  prohibits  the  direct  application  of  partial  order  reduction. 
It  is  precisely  this  issue  that  we  propose  to  address. 
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1.2  Thesis  Approach  and  Contributions 

This  dissertation  presents  solutions  for  the  application  of  partial  order  meth¬ 
ods  to  the  verification  of  various  models  of  timed  systems,  with  the  purpose 
of  reducing  the  size  of  the  explored  state  space. 

The  general  approach  followed  is  to  define  an  alternate  semantics  for  the 
timed  model  under  investigation,  in  which  causal  dependence  of  transitions 
is  separated  from  time  ordering  due  to  concurrency.  This  relaxed  timing  se¬ 
mantics  is  characterized  by  a  richer  set  of  behaviors.  Whereas  the  standard 
semantics  requires  successive  transitions  to  occur  in  a  sequence  of  rnono- 
tonically  increasing  timepoints,  in  the  new  semantics  some  transitions  can 
be  explored  in  an  order  which  may  be  different  from  the  original  ordering 
of  their  execution  times.  However,  the  behaviors  of  the  new  model  are  re¬ 
stricted  in  such  a  way  as  to  preserve  the  truth  value  of  the  specification.  We 
chiefly  work  in  the  context  of  specifications  expressed  in  timed  extensions  of 
next-time  free  linear  temporal  logic. 

Performing  the  state  space  search  using  the  modified  semantics  instead 
of  the  original  one  can  be  advantageous  because  the  relaxed  time  ordering 
condition  on  transitions  leads  to  the  generation  of  fewer  timed  states.  A 
timed  state  no  longer  needs  to  encode  the  total  order  of  transitions  leading 
to  it,  but  merely  a  partial  order  representing  causality.  At  the  same  time, 
the  commutativity  of  transitions  which  are  independent  in  the  underlying 
untimed  system  is  restored.  This  allows  partial  order  reduction  to  be  applied, 
potentially  leading  to  a  yet  smaller  system  model,  this  time  due  to  a  decrease 
in  the  number  of  control  states. 

The  main  contributions  presented  in  this  dissertation  are: 

•  A  method  for  the  application  of  partial  order  reduction  to  networks  of 
timed  automata,  based  on  a  local-time  model.  In  particular,  we  show 
how  to  effectively  search  the  state  space  of  the  system  using  a  local¬ 
time  model,  how  to  perform  verification  for  a  timed  extension  of  linear 
temporal  logic,  and  we  give  conditions  for  the  selection  of  a  reduced  set 
of  transitions  during  exploration.  Our  experimental  results  show  that 
using  a  local-time  model  for  exploration  leads  to  a  significant  reduction 
in  the  number  of  timed  regions,  while  partial  order  reduction  results  in 
a  further  reduction  of  the  control  state  space. 

•  A  general  formalism  for  the  application  of  partial  order  reduction  for 
a  class  of  continuous-time  systems.  We  define  a  general  timed  model, 
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and  a  semantics  based  on  execution  traces  which  separates  the  issues 
of  transition  causality  from  the  ordering  of  their  timestamps.  We  then 
show  how  our  semantics  naturally  allows  the  application  of  partial  order 
reduction  and  present  an  algorithm  that  performs  a  reduced  state  space 
search  on  a  model  based  on  timed  regions. 

•  An  algorithm  that  applies  partial  order  reduction  to  the  exploration 
of  timed  event/level  structures,  used  in  the  modeling  of  asynchronous 
circuits.  Compared  to  the  original  algorithm  which  focuses  on  exploring 
fewer  timing  regions,  the  new  algorithm  also  reduces  the  number  of 
control  states. 

•  A  technique  to  apply  partial  order  reduction  statically  at  the  time  of 
model  construction.  This  represents  joint  work,  presented  in  [KLM+98]. 
The  method  permits  reduction  to  be  separated  from  the  model  checking 
algorithm  and  combined  with  other  verification  techniques,  in  particu¬ 
lar  with  symbolic  model  checking. 

•  A  proof  for  the  correctness  of  partial  order  reduction  with  ample  sets 
using  a  weaker  condition  for  independence  between  transitions. 

1.3  Related  Work 

We  present  a  brief  selective  overview  of  relevant  related  research  in  the  veri¬ 
fication  of  timed  systems,  first  discussing  various  models,  and  then  previous 
work  on  applying  partial  order  reduction  to  this  domain. 

1.3.1  Continuous  and  Discrete  Time 

To  formalize  the  notion  of  time,  two  main  directions  have  been  pursued  in 
the  literature.  One  of  them  considers  a  dense  (continuous)  model  of  time, 
equating  time  with  the  set  of  real  numbers  R.  In  this  model,  an  event  (or 
a  transition)  can  occur  at  an  arbitrary  time  point  on  the  real  scale.  On  the 
other  hand,  the  discrete  model  of  time  allows  transitions  to  occur  only  at 
discrete  time  quantums,  modeling  time  using  the  set  of  integer  numbers  Z. 
Throughout  the  history  of  verification  for  timed  systems,  the  relative  merits 
of  the  two  approaches  have  been  compared  and  debated  [AH91,  HMP92]. 
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A  comparison  of  the  two  models  can  be  made  in  terms  of  both  expressivity 
and  efficiency.  The  continuous  time  model  is  strictly  more  expressive  than 
the  one  employing  discrete  time.  Intuitively,  continuous  time  can  model 
delays  that  are  arbitrarily  small.  When  modeling  a  system  using  the  dense 
time  paradigm,  one  does  not  have  to  assume  that  the  granularity  of  the 
clock  is  appropriate  for  modeling  all  system  behaviors.  Furthermore,  when 
composing  two  discrete-time  systems,  one  has  to  match  the  granularity  of 
the  two  clocks,  an  issue  which  does  not  occur  with  continuous  time. 

However,  for  some  classes  of  timed  systems,  certain  properties  are  pre¬ 
served  by  discretization.  Henzinger,  Manna  and  Pnueli  [HMP92]  discuss 
timed  transition  systems,  i.e.,  state-transition  graphs  augmented  with  upper 
and  lower  integer  time  bounds  on  transitions.  They  show  that  all  qualitative 
(or  time-independent)  properties,  and  some  common  quantitative  properties 
such  as  time-bounded  invariance  and  time-bounded  response  are  preserved 
by  a  discrete-time  semantics.  Furthermore,  if  a  property  expressed  in  a  cer¬ 
tain  timed  logic  holds  in  the  continuous-time  semantics,  a  weaker,  derived 
property  is  guaranteed  to  hold  in  discrete  time. 

On  the  other  hand,  there  exist  systems  and  properties  which  are  not 
preserved  if  a  discrete-time  model  is  used  instead  of  continuous  time.  An 
analysis  for  combinational  circuits  is  given  in  [AMP98].  Again,  the  timing 
constraints  are  expressed  as  bounded  delays  which  are  imposed  on  the  output 
of  each  gate.  It  is  shown  that  for  acyclic  circuits,  a  discretization  quantum 
can  be  found  such  that  qualitative  behavior  (i.e.,  event  ordering)  is  preserved. 
In  these  cases,  a  time  quantum  of  1/n,  where  n  is  the  number  of  signals  in  the 
circuit,  is  sufficient.  However,  there  exist  cyclic  circuits  whose  continuous¬ 
time  qualitative  behavior  is  not  preserved  by  any  discretization. 

From  an  efficiency  point  of  view,  both  discrete-  and  continuous-time  mod¬ 
els  have  their  individual  advantages  and  disadvantages,  although  in  general, 
practical  results  for  discrete-time  models  have  been  better,  as  reported  for 
instance  in  [BMT99] .  Discrete-time  techniques  allow  efficient  representation 
techniques  from  the  untimed  domain  to  be  used,  such  as  binary  decision  dia¬ 
grams  [Bry86].  However,  discrete  time  does  not  constitute  an  unconditional 
improvement.  Modeling  a  system  in  discrete  time  can  already  result  in  a 
more  complex  model  than  by  using  a.  continuous-time  semantics.  Moreover, 
discrete-time  techniques  tend  to  be  more  sensitive  to  the  size  of  the  constants 
appearing  in  the  model  descriptions,  and  large  constants  can  result  in  state 
space  explosion. 
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1.3.2  Other  Partial  Order  Approaches 

We  discuss  three  of  the  most  common  models  that  have  been  used  for  the 
description  and  verification  of  timed  systems:  timed  automata,  time  Petri 
nets  and  timed  event/level  structures,  and  the  related  work  that  has  been 
carried  out  to  apply  partial  order  reduction  to  these  models. 

The  first  partial  order  reduction  procedure  for  a  timed  model  seems  to 
have  been  presented  in  the  context  of  time  Petri  nets  by  Yoneda,  Schlingloff 
et.  al.  [YSSC93,  YS97].  Their  model  is  an  extension  of  Petri  nets  in  which 
upper  and  lower  time  bounds  may  be  placed  on  transitions  [MF76].  Because 
of  their  restricted  timing  conditions,  time  Petri  nets  are  less  expressive  than 
timed  automata.  On  the  other  hand,  converting  a  Petri  net  into  a  timed 
automaton  can  potentially  involve  an  exponential  increase  in  the  size  of  the 
model.  Hence,  verification  algorithms  for  time  Petri  nets  are  not  subsumed 
directly  by  those  for  timed  automata.  Yoneda  and  Schlingloff  prove  a  partial 
order  reduction  algorithm  that  preserves  properties  in  a  timed  extension  of 
next-time  free  LTL.  The  fundamental  idea  of  their  approach  is  that  only 
transitions  from  the  reduced  set  chosen  for  exploration  need  to  be  interleaved 
in  all  possible  time  orderings.  In  Chapter  5  we  show  how  this  idea  can 
be  generalized,  and  the  required  condition  can  be  weakened.  Sloan  and 
Buy  [SB96,  SB97]  give  a  procedure  similar  to  [YS97]  for  a  more  restrictive 
model  of  simple  time  Petri  nets,  in  which  each  transition  has  a  static  delay. 
Lilius  [Lil98]  suggests  an  improvement  that  does  not  store  the  firing  sequence 
of  transitions  as  part  of  a  timed  state,  but  can  only  applied  to  analyzing 
reachability  of  place  markings. 

Timed  automata  [AD90,  ACD90]  are  finite-state  automata  augmented 
with  a  set  of  real- valued  clocks  that  evolve  at  the  same  rate.  Their  transitions 
are  guarded  by  constraints  on  clocks  or  their  differences.  Combining  a  natural 
description  formalism  with  high  expressive  power,  they  have  been  extensively 
studied  in  the  literature  (see  [AD94]  for  a  comprehensive  survey). 

The  model  checking  problem  for  timed  automata  has  been  investigated  for 
powerful  timed  logics  such  as  timed  computation  tree  logic  (TCTL)  [ACD90] 
and  timed  modal  ^-calculus  [HNSY92],  The  worst-case  complexity  of  model 
checking  is  exponential  in  the  number  of  clocks  and  the  size  of  the  max¬ 
imal  time  constant  in  the  model.  However,  model  checking  tools  such  as 
Kronos  [NSY92]  and  Uppaal  [LPW95]  have  implemented  efficient  search 
and  representation  techniques  together  with  various  optimizations  that  have 
enabled  the  verification  of  a  number  of  real-world  examples. 
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The  first  approach  to  the  application  of  partial  order  reduction  for  systems 
composed  of  communicating  timed  automata  is  due  to  Pagani  [Pag96,  Pag97]. 
Her  analysis  shows  however  that  the  dependencies  between  the  passage  of 
time  and  transitions  that  cause  a  state  change  reduce  the  independence  of 
transitions  significantly  compared  to  the  untimed  case  and  thus  make  the  ap¬ 
plication  of  partial  order  reduction  difficult.  An  improvement  which  identifies 
additional  cases  where  reduction  can  be  applied  is  presented  in  [DGKK98]. 

Bengtsson  et,  al.  [BJLW98]  were  the  first  to  suggest  a  modified  semantics 
that  allows  the  component  automata  of  a  network  to  execute  individually, 
synchronizing  their  local  time  scales  only  on  synchronization  transitions.  Our 
results  for  timed  automata  are  based  on  their  work.  However,  the  only 
preservation  result  proved  for  the  new  semantics  was  for  local  reachability. 
Moreover,  they  did  not  present  a  concrete  verification  algorithm,  since  the 
new  model  lacked  an  effective  condition  to  decide  the  equality  of  two  timed 
regions  (i.e.,  a  stopping  condition  in  the  state  space  search).  As  our  main 
result,  we  show  in  Chapter  3  how  to  use  this  local-time  model  to  perform 
model  checking  for  a  timed  extension  of  linear  temporal  logic. 

Timed  event/level  structures  [BM97]  are  a  specification  formalism  tailored 
to  the  description  of  asynchronous  circuits,  derived  from  the  timed  event/ rale 
structures  of  [Mye95j.  A  rule  describes  a  causal  relation  between  two  events, 
together  with  a  separation  interval  (integer  upper  and  lower  time  bounds) 
between  them.  They  are  in  essence  similar  to  Petri  nets  but  in  addition  allow 
rules  to  depend  on  the  value  of  signals.  Belluomini  and  Myers  [BM98]  present 
an  algorithm  that  stores  only  partial  ordering  relations  between  events  and 
thus  reduces  the  number  of  timed  states  generated  during  system  exploration. 
However,  the  term  “partial  order”  here  does  not  imply  the  exploration  of  a 
reduced  set  of  event  or  rule  interleavings.  In  Chapter  4  we  present  how  partial 
order  reduction  (in  the  sense  of  exploring  a  restricted  set  of  events)  can  be 
added  to  their  algorithm  to  also  reduce  the  set  of  explored  control  states. 

1.3.3  Other  Approaches  to  State  Space  Explosion 

Partial  order  reduction  attempts  to  alleviate  the  state  explosion  problem  for 
timed  systems  by  addressing  one  specific  cause,  the  redundant  exploration 
of  multiple  transition  interleavings.  A  wide  variety  of  other  methods  have 
been  used  to  contain  state  space  explosion  by  addressing  orthogonal  issues. 
We  mention  some  of  the  most  relevant  techniques,  since  many  of  them  can 
be  used  in  a  model  checker  together  with  partial  order  reduction. 
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For  timed  automata,  one  of  the  reasons  for  the  large  size  of  the  state 
space  is  the  fact  that  during  state  space  exploration,  all  pairs  of  clocks  are 
related  to  each  other  by  clock  constraints.  However,  not  all  clocks  are  used 
at  every  point  during  the  execution  of  the  system.  If  a  clock  is  not  used  in 
any  constraint  prior  to  the  next  point  when  it  is  reset,  its  relation  to  other 
clocks  is  irrelevant,  and  it  can  be  removed  from  the  representation  of  the 
current  state.  This  method,  called  clock  activity  reduction,  was  introduced 
first  by  Daws  and  Yovine  [DY96]  and  can  significantly  reduce  the  amount  of 
memory  that  is  necessary  to  store  a  timed  state. 

Another  approach  that  reduces  the  complexity  related  to  timing  is  based 
on  the  observation  that  not  all  the  timing  information  in  the  description  of  a 
timed  system  is  usually  needed  to  guarantee  the  satisfaction  of  a  given  prop¬ 
erty.  An  approximation  scheme  which  uses  upper  and  lower  bounds  on  the 
set  of  reachable  states  is  described  in  the  Ph.D.  thesis  of  Wong-Toi  [Won94]. 
Approximations  have  also  been  studied  by  Balarin  [Bal96],  and  are  incorpo¬ 
rated  in  the  model  checked  RT-Cospan  [AK95].  In  the  latter  situation,  the 
underlying  untimed  description  of  the  system  is  composed  with  an  automa¬ 
ton  representing  the  time  bounds.  Only  the  bounds  that  are  necessary  to 
verify  the  given  property  are  successively  introduced  in  the  composition. 

Time-abstracting  bisimulations,  which  hide  the  quantitative  aspects  of 
time,  are  discussed  in  the  Ph.D.  thesis  of  Tripakis  [Tri98].  If  a  system’s 
quotient  is  computed  with  respect  to  a  time-abstracting  bisimulation,  efficient 
methods  from  the  untimed  domain,  such  as  minimization  of  the  resulting 
transition  system,  can  be  applied  for  verification.  Methods  for  abstraction 
of  timed  systems  are  also  discussed  in  the  thesis  of  Ta§iran  [Ta§97]. 

Symbolic  techniques  based  on  BDDs  have  been  investigated  with  great 
interest  in  the  domain  of  timed  systems,  due  to  their  success  in  the  untimed 
and  discrete-time  case.  Wong-Toi  [Won94]  reports  successful  use  of  BDDs 
to  encode  control  states  that  share  the  same  timing  information,  especially 
when  used  together  with  approximations.  Balarin  [Bal96]  takes  a  different 
approach  and  uses  BDDs  to  encode  the  difference  bound  matrices  which  rep¬ 
resent  time  zones.  Bozga,  Maler  et  al.  [BM97,  BMT99]  show  that  in  several 
cases,  BDDs  together  with  discretization  enable  the  verification  of  systems 
with  more  components  than  using  a  standard  difference  bound  matrix  (DBM) 
representation  and  continuous-time  semantics.  Belluomini  [Bel99]  uses  BDDs 
for  the  storage  of  the  reached  state  sets,  but  converts  to  an  explicit  DBM 
representation  for  the  exploration  algorithm.  This  modification  makes  the 
exploration  slower,  but  enables  the  verification  of  larger  models. 
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In  previous  joint  work  [CCM+94,  CCM97],  later  extended  in  the  Ph.D. 
thesis  of  Campos  [Cam96],  we  have  taken  a  different  approach  to  the  verifi¬ 
cation  of  timed  systems,  by  focusing  on  a  discrete-time  model  with  unit  tran¬ 
sitions.  Although  very  simple,  this  model  is  applicable  in  many  situations, 
and  has  proved  especially  useful  for  systems  whose  components  are  naturally 
scheduled  to  execute  in  discrete  time  intervals.  Since  the  model  only  needs  to 
handle  unit-time  transitions,  symbolic  representation  and  analysis  techniques 
based  on  BDDs  from  the  domain  of  untimed  systems  are  directly  applicable, 
and  show  the  same  efficiency  in  practice.  As  a  significant  advantage,  the 
approach  allows  not  only  the  verification  of  specifications  in  temporal  log¬ 
ics  with  or  without  explicit  timing,  but  also  the  computation  of  quantitative 
properties  about  the  system  behavior.  These  include  precise  lower  and  upper 
bounds  on  execution  times  or  on  times  spent  in  states  that  satisfy  certain 
conditions,  and  can  be  used  for  detailed  assessment  of  system  properties. 

The  fundamental  difference  between  the  above  approach  and  the  work 
presented  in  this  thesis  lies  in  the  application  domain,  and  has  consequences 
for  modeling  and  efficiency.  Most  of  the  examples  analyzed  with  the  ap¬ 
proach  of  [CCM+94]  are  composed  of  interacting  processes  executing  on  a 
single  processor,  or  represent  hardware  and  embedded  systems  where  signals 
are  discretely  sampled.  For  these,  the  unit-time  model  is  very  appealing, 
and  provides  an  efficiency  that  can  likely  not  be  matched  for  a  continuous¬ 
time  model  with  multiple  clocks.  Our  thesis  presents  a  general  approach  to 
reduction  that  is  targeted  mostly  at  asynchronous  timed  systems  in  which 
discretization  may  not  preserve  the  system  behavior,  or  lead  to  state  space 
explosion. 

More  recently,  two  data  structures  have  been  defined  that  are  specifi¬ 
cally  tailored  to  the  representation  of  difference  constraints  that  appear  in 
time  zones.  In  both  cases,  one  of  the  goals  is  to  efficiently  represent  unions 
of  time  zones  in  the  reached  state  space,  rather  than  having  to  represent 
each  time  zone  separately.  Clock  difference  diagrams  [BLP+99]  are  multi¬ 
way  decision  diagrams,  in  which  levels  are  indexed  by  clock  pairs  (i.e.,  clock 
differences) ,  and  each  lower-level  node  corresponds  to  an  interval  on  the  real 
time  scale  for  the  corresponding  clock  difference.  In  difference  decision  dia¬ 
grams  [MLAH99],  the  decision  is  binary  and  is  given  by  the  truth  value  of 
an  atomic  clock  constraint.  In  addition,  DDDs  are  the  first  data  structure 
that  makes  possible  model  checking  of  timed  automata  in  a  fully  symbolic 
fashion. 
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1.4  Outline 

Chapter  2  starts  by  presenting  the  basic  principles  underlying  partial  order 
reduction.  We  give  a  proof  for  the  correctness  of  partial  order  reduction 
using  a  weaker  notion  of  independence.  Next,  we  present  a  static  approach 
to  reduction,  in  which  the  reduced  model  is  generated  at  compile-time.  The 
next  three  chapters  present  our  results  concerning  the  application  of  reduc¬ 
tion  to  timed  systems.  In  Chapter  3,  after  introducing  the  local-time  model 
for  networks  of  timed  automata,  we  show  how  to  apply  partial  order  reduc¬ 
tion  to  the  model  checking  of  a  timed  extension  of  LTL.  Chapter  4  presents 
a  different  reduction  method,  also  for  timed  automata,  but  this  time  based 
on  the  region  graph  construction.  Then,  we  show  how  partial  order  reduc¬ 
tion  can  be  incorporated  into  an  exploration  algorithm  for  timed  event/level 
structures. 

Chapter  5  presents  our  most  general  result.  We  identify  the  principles 
underlying  the  reduction  techniques  presented  so  far  and  apply  them  to  a 
model  of  timed  systems  that  can  be  particularized  to  either  timed  automata, 
time  Petri  nets  or  TEL  structures.  Chapter  6  presents  a  performance  evalu¬ 
ation  of  the  reduction  method  from  Chapter  3  on  systems  modeled  as  timed 
automata,  the  most  expressive  of  the  timed  models  analyzed  so  far  with  par¬ 
tial  order  reduction.  Finally,  our  conclusions  and  some  directions  for  future 
work  can  be  found  in  Chapter  7. 
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Chapter  2 

Partial  Order  Reduction 


2.1  Introduction 

The  main  obstacle  for  automatic  verification  methods  based  on  state  space 
exploration  is  the  fact  that  the  systems  to  be  verified  often  have  prohibitively 
many  states  for  an  exhaustive  traversal.  The  state  space  of  a  system  made 
up  of  several  components  is  the  product  of  the  state  spaces  of  the  individual 
parts,  and  its  size  is  therefore  exponential  in  the  number  of  components. 
Thus,  the  size  of  the  global  system  quickly  becomes  unmanageable,  even  if 
each  individual  component  is  of  relatively  small  size.  This  has  been  called 
the  state  space  explosion  problem. 

A  wide  array  of  techniques  has  been  developed  to  alleviate  this  problem. 
Methods  based  on  compositional  reasoning  verify  the  system  behavior  based 
on  properties  of  the  individual  components,  without  having  to  construct  the 
global  state  space.  Other  methods  are  relatively  independent  of  the  modular 
system  structure.  Abstraction  techniques  create  smaller,  high-level  models 
that  approximate  the  original  one,  by  removing  irrelevant  detail.  On-the-fly 
and  local  model  checking  techniques  restrict  exploration  to  only  those  parts  of 
the  system  state  space  which  are  relevant  for  the  verified  property.  Symbolic 
techniques  use  an  implicit  representation  of  the  state  space,  which  does  not 
bear  a  direct  relationship  to  the  number  of  states  and  can  be  significantly 
smaller. 

Partial  order  reduction  is  a  technique  that  constructs  a  smaller  state  space 
by  addressing  a  specific  reason  behind  the  state  space  explosion,  namely  the 
existence  of  many  potentially  equivalent  execution  traces.  This  method  is 
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typically  applied  to  asynchronous  systems,  which  are  described  using  an  in¬ 
terleaving  model  of  computation.  Concurrent  events  are  modeled  by  allowing 
their  execution  in  all  possible  orders  relative  to  each  other.  This  serialization 
creates  a  large  number  of  possible  states  and  paths.  However,  not  all  differ¬ 
ent  interleavings  can  be  generally  distinguished  by  a  specification.  Partial 
order  reduction  techniques  take  advantage  of  this  by  generating  and  explor¬ 
ing  a  model  with  only  a  reduced  set  of  interleavings,  and  thus  fewer  states. 
At  the  same  time,  the  reduced  model  is  guaranteed  to  contains  at  least  one 
representative  from  each  class  of  equivalent  behaviors,  thus  preserving  the 
truth  value  of  the  specification. 

In  this  chapter,  we  first  present  the  basic  principles  behind  the  partial 
order  reduction  method.  Next,  we  prove  that  a  relaxed  independence  rela¬ 
tion  between  transitions  is  sufficient  to  ensure  the  correctness  of  the  ample 
set  method  for  partial  order  reduction.  Finally,  we  present  a  variant  called 
static  partial  order  reduction ,  which  incorporates  reduction  into  the  model 
in  a  preprocessing  step  and  is  thus  independent  of  the  model  checking  algo¬ 
rithm.  In  particular,  this  method  can  be  combined  with  symbolic  state  space 
exploration  techniques. 

Several  approaches  that  use  the  commutativity  between  selected  tran¬ 
sitions  to  reduce  the  state  space  of  a  system  have  been  suggested  in  the 
literature.  The  first  such  method  seems  to  have  been  suggested  by  Over¬ 
man  [Ove81]  in  his  Ph.D.  thesis.  However,  it  was  restricted  to  models  whose 
state  space  did  not  contain  loops.  Later  on,  Katz  and  Peled  [KP88]  described 
a  proof  system  for  concurrent  systems  that  took  advantage  of  commutativity 
between  transitions.  This  deduction  system  used  as  its  core  a  set  of  proof 
rules  that  asserted  properties  of  sequences  that  are  generated  by  exploring 
certain  subsets  of  successors  from  each  state. 

Over  the  last  decade,  several  methods  have  been  developed  that  apply 
partial  order  reduction  to  model  checking  of  finite-state  systems.  The  com¬ 
mon  characteristic  of  all  these  methods  is  that  they  explore  only  a  certain 
subset  of  transitions  from  each  state.  They  differ  in  the  conditions  imposed 
on  the  reduced  transition  set  in  order  to  guarantee  correctness.  Such  tech¬ 
niques  are  the  stubborn  set  method  of  Valmari  [Val90],  the  persistent  set 
method  of  Godefroid  and  Wolper  [GW91,  God96],  and  the  ample  set  method 
of  Peled  [Pel93] .  We  will  focus  here  on  the  ample  set  method,  occasionally 
borrowing  ideas  from  the  stubborn  set  technique. 

The  name  partial  order  reduction  reflects  the  fact  that  the  initial  versions 
of  this  method  used  an  explicit  partial  order  semantics.  Generally  speaking, 
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a  partially  ordered  execution  is  represented  by  a  set  of  events  and  a  causality 
relation  between  them.  The  causality  relation  indicates  which  events  have  to 
precede  others  in  any  system  execution,  whereas  the  remainder  of  the  events 
that  are  not  restricted  by  this  relation  are  independent  and  can  occur  in  any 
order.  This  view  of  the  system  is  in  contrast  to  a  total  ordering  on  events,  in 
which  all  events  are  serialized,  i.e.,  any  event  either  precedes  or  follows  any 
other  event.  There  are  versions  of  partial  order  reduction  that  are  explicitly 
based  on  the  fact  that  the  generated  reduced  state  space  includes  at  least  one 
completion  into  a  total  order  for  each  partially  ordered  execution.  However, 
most  current  methods  are  no  longer  based  on  explicitly  maintaining  this 
relation. 


2.2  Basic  Notions 

We  analyze  systems  that  are  modeled  as  state  transition  graphs.  Let  S  be 
the  set  of  system  states.  A  transition  is  identified  with  a  particular  action 
that  the  system  can  execute  and  is  given  by  a  relation  a  C  S  x  S,  which 
defines  the  pairs  of  states  between  which  the  action  can  be  executed.  A 
state  transition  graph  is  a  tuple  M  —  (S.  So,  T,  L).  where  So  C  S'  is  a  set  of 
initial  states,  T  is  a  set  of  transitions  a  C  S  x  S,  and  L  :  S  — »  'P(AP)  is  a 
labeling  function  that  assigns  to  each  state  a  subset  of  the  set  AP  of  atomic 
propositions. 

A  transition  a  E  T  is  enabled  in  a  state  s  if  there  exists  a  state  s'  such 
that  (s,  s')  E  a.  Otherwise,  a  is  said  to  be  disabled  at  s.  A  transition  is 
deterministic  if  for  any  state  s  E  S  there  exists  at  most  one  state  s'  E  S 
such  that  (s,  s')  E  a.  In  this  case,  a  is  in  fact  a  partial  function  on  S,  and 
we  will  use  the  notation  s'  =  q(s)  instead  of  (s,  s')  E  a.  In  the  following, 
we  will  restrict  ourselves  to  systems  with  deterministic  transitions.  It  is  still 
possible  to  model  nondeterminism  in  such  systems,  since  in  general  there  can 
be  more  than  one  transition  enabled  at  a  given  state. 

An  execution  sequence  a  of  a  state  transition  graph  is  an  infinite  sequence 
a  =  So  Si  — >  . . .  such  that  for  all  i.  ,si+1  =  cq(sj).  We  denote  by  a,  the 
suffix  of  a  that  starts  at  state  su  i.e.,  at  -  Si  s^+i  a-^1  Sj+ 2  a-^2  ....  An 
execution  sequence  a  is  an  initial  execution  sequence  if  so,  the  first  state  in 
the  sequence,  belongs  to  the  set  of  initial  states  So  of  M. 

I11  an  asynchronous  system,  an  execution  trace  serializes  transitions  re¬ 
gardless  whether  they  occur  sequentially  in  the  same  component  or  concur- 
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rently  in  different,  components.  Therefore,  the  number  of  transitions  sepa¬ 
rating  two  events  has  no  direct  relationship  to  the  time  delay  between  them. 
Moreover,  a  transition  which  does  not  change  the  state  labeling  (also  called  a 
stuttering  step)  and  is  concurrent  with  an  observable  event  will  be  necessarily 
serialized  either  before  or  after  it.  However,  given  the  concurrent  semantics  of 
the  system,  the  serialization  order  should  not  affect  the  specification.  These 
observations  argue  (cf.  [Lam83])  for  a  specification  which  cannot  distinguish 
between  sequences  of  identically  labelled  states  on  an  execution  path  of  the 
system. 

Two  infinite  execution  sequences  are  stuttering  equivalent  (Figure  2.1)  if 
they  reduce  to  identical  sequences  of  state  labelings  after  in  each  of  them, 
any  finite  sequence  of  identically  labeled  states  is  collapsed  to  a  single  state. 

In  other  words,  two  infinite  paths  a  —  So  Si  — » •  •  •  and  p  —  rQ  ^  r\  — >  . . . 
are  stuttering  equivalent  if  one  can  define  two  infinite  sequences  of  integers 
0  =  i0  <  ix  <  . . .  and  0  =  j0  <  ji  <  •  •  •  such  that  Vk  >  0,  L(sik)  =  L(sik+ 1)  = 
. . .  =  L{sik+l- 1)  =  L(rjk)  =  L{rjk+1 )  =  . . .  =  L(rjfc+1_!).  The  indices  ik  and 
jk  are  the  starting  points  of  identically  labeled  subsequences  of  states  in  the 
two  paths,  respectively.  The  stuttering  equivalence  relation  between  a  and 
p  is  denoted  by  o  ~st  p. 


Figure  2.1:  Stuttering  equivalent  paths 

For  assertions  about  the  behavior  of  a  program,  we  use  the  temporal  logic 
LTL  [GPSS80].  Given  a  finite  set  of  propositions  AP,  the  formulas  of  LTL 
are  defined  inductively  as  follows: 

•  p  is  a  formula,  for  every  p  G  AP 

•  if  p  and  tjj  are  formulas,  then  so  are  ~>p,  p>  A  xp,  X  p  and  pU  iJj. 

An  execution  sequence  a  =  So  Si  ...  is  said  to  satisfy  an  LTL 
formula  </>  (denoted  by  a  \=  (f>)  under  the  following  conditions: 
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•  a  \=  p  iff  p  G  L(so),  for  p  €  AP , 

•  a  f=  ->p  iff  not  o  (=  p, 

•  cr(=(^A,0iff<j|=^  and  a  (=  f). 

•  <7  |=  X  p  iff  cr\  |=  p, 

•  a  |=  p  U  V;  iff  3i  >  0  such  that  <7*  |=  tp  and  Vjf .  0  <  j  <  i  =»  cr.,-  (= 

Let  false  stand  as  an  abbreviation  for  pA~^p,  and  true  be  an  abbreviation 
for  -> false.  We  also  use  the  following  abbreviations:  p  V ;/'  =  ->((-'£>)  A  (-u/;)), 
F  ip  =  true  U  y?,  G  9?  =  -iF  -q?. 

For  a  given  state  transition  graph  M  and  LTL  formula  p,  the  model 
checking  problem  for  M  and  p  is  to  verify  that  for  every  initial  state  s0  G  S0 
and  every  path  a  starting  in  s0.  it  is  true  that  a  f=  p.  We  write  M  f=  p  to 
denote  that  the  formula  p  is  true  in  model  M. 

An  LTL  formula  p  is  invariant  under  stuttering  if  for  any  two  paths  a 
and  a'  such  that  a  a',  we  have  a  f=  p  iff  a'  f=  p. 

Recall  that  we  have  argued  for  the  use  of  specifications  that  cannot  distin¬ 
guish  between  stuttering  equivalent  sequences.  In  general,  an  LTL  formula 
is  sensitive  to  stuttering  if  it  contains  the  next-time  operator  X  .  Denote  by 
LTL_x  the  subset  of  logic  LTL  that  does  not  make  use  of  the  next-time  op¬ 
erator.  It  has  been  shown  by  Peled  and  Wilke  [PW97]  that  an  LTL  property 
is  invariant  under  stuttering  precisely  if  it  can  be  expressed  in  LTL_X. 

The  notion  of  stuttering  equivalence  can  be  naturally  extended  from 
paths  to  state  transition  graphs.  Two  state  transition  graphs  M  and  M' 
labeled  with  the  same  set  of  atomic  propositions  are  stuttering  equivalent 
if  a  correspondence  relation  can  be  established  covering  all  their  execution 
sequences,  such  that  corresponding  execution  sequences  are  stuttering  equiv¬ 
alent.  Specifically, 

•  for  each  initial  execution  sequence  a  of  M  there  exists  an  initial  exe¬ 
cution  sequence  a'  of  AP  such  that  a  o'. 

•  for  each  initial  execution  sequence  o'  of  AP  there  exists  an  initial  exe¬ 
cution  sequence  a  of  AI  such  that  o' ~st  a. 

The  fact  that  LTL_X  formulas  are  stuttering  invariant  together  with  the 
definition  of  stuttering  equivalence  of  state  transition  graphs  imply  the  fol¬ 
lowing  result: 
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If  M  and  M'  are  stuttering  equivalent  state  transition  graphs, 
then  for  any  LTL_X  formula  p>,  M  |=  <p  iff  M'  |= 

This  is  the  main  result  which  justifies  the  use  of  partial  order  reduction, 
since  this  method  generates  a  reduced  model  that  is  stuttering  equivalent  to 
the  original  one.  In  the  next  section,  we  describe  the  general  principles  that 
stand  behind  the  reduced  state  space  generation. 


2.3  Principles  of  Partial  Order  Reduction 

The  results  about  stuttering  presented  in  the  previous  section  imply  that 
when  model  checking  a  concurrent  asynchronous  system  with  respect  to  a 
stuttering-invariant,  specification,  one  does  not  need  to  explore  all  behaviois 
of  the  model.  If  the  execution  sequences  are  divided  into  equivalence  classes 
with  respect  to  stuttering  equivalence,  it  is  sufficient  to  select  just  one  be¬ 
havior  from  each  class  as  part  of  the  reduced  model  in  order  to  guarantee 
correctness. 

Consider  an  example  that  illustrates  the  importance  of  reduction.  As¬ 
sume  that  the  system  to  be  verified  is  composed  of  n  concurrent  processes, 
PUP2)  •  •  • ,  Pn.  Each  process  Pt  has  a  transition  a,  enabled  in  some  local 
state  Si,  such  that  afls,)  =  s'.  The  concurrent  transitions  can  be  ordered 
in  n!  possible  ways,  resulting  in  the  exploration  of  2”  different  states.  How¬ 
ever,  it  is  possible  that  the  specification  is  a  property  that  relates  the  initial 
global  state  (si, . . . ,  s„)  with  the  resulting  global  state  (s'l5 . . . ,  s'n),  without 
depending  on  intermediate  states,  and  the  path  taken  between  these.  Thus, 
it  is  much  more  efficient  to  consider  only  one  particular  ordering  and  the 
corresponding  n  +  1  states. 

In  most  variants  of  partial  order  reduction,  the  reduced  model  of  the 
system  is  built  by  performing  a  modified  depth-first  search  on  an  explicit- 
state  representation  of  the  system.  This  is  followed  by  a  separate  model 
checking  phase  performed  on  the  reduced  state-transition  graph.  Another 
option  is  to  construct  the  reduced  model  on  the  fly,  during  model  checking. 
This  has  the  advantage  that  the  state  space  construction  can  be  guided  taking 
into  account  the  specification,  and  the  size  of  the  constructed  model  can  be 
reduced  further.  Another  variant,  described  in  detail  later  in  this  chapter 
involves  the  use  of  breadth-first  search,  which  has  the  potential  of  combining 
partial  order  reduction  with  a  symbolic  representation.  The  essential  aspect 
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common  to  all  these  approaches  is  that  the  reduced  model  is  built  directly, 
without  first  constructing  the  full  state  graph  of  the  original  system.  This 
is  a  natural  requirement,  since  the  full  model  is  typically  too  large  to  be 
constructed  in  the  first  place,  and  an  indirect  approach  would  defeat  the 
purpose  of  the  reduction. 

The  selection  of  representative  behaviors  is  made  by  following  from  each 
state  only  a  subset  of  the  enabled  transitions,  as  opposed  to  an  ordinary 
search  which  would  explore  all  of  them.  We  denote  by  ample  (s)  C  enabled (s) 
the  set  of  transitions  which  are  explored  from  state  s  in  the  case  of  partial 
order  reduction. 

The  key  to  applying  partial  order  reduction  is  a  procedure  that  calculates 
at  each  state  s  a  suitable  set  ample(s)  of  transitions  to  be  explored.  On  one 
hand,  this  set  should  be  small  (significantly  smaller  than  the  set  of  all  en¬ 
abled  transitions),  in  order  to  effectively  reduce  the  searched  state  space.  On 
the  other  hand,  the  correctness  of  the  verification  result  has  to  be  preserved, 
by  including  in  the  reduced  state  graph  at  least  one  equivalent  execution 
sequence  for  each  execution  of  the  original  model.  Finally,  the  overhead  for 
computing  an  ample  set  should  be  sufficiently  small  such  that  the  verifica¬ 
tion  time  is  not  increased  compared  to  full  state  space  search,  offsetting  the 
benefits  of  the  reduction. 

In  order  to  obtain  such  a  procedure  for  selecting  transitions,  one  has  to 
formalize  the  notion  of  transitions  that  can  be  reordered.  Two  key  concepts 
play  a  role  in  this  process:  the  notion  of  transition  independence  relates  to 
the  interaction  between  the  execution  of  transitions  in  the  model,  whereas 
transition  visibility  is  determined  by  the  properties  examined  by  the  specifi¬ 
cation. 

Two  transitions  a,/3  £  T  are  independent  in  a  state  s  G  S'  if  they  satisfy 
the  following  two  conditions: 

•  Enabledness:  If  a,/3  £  ena.bled(s):  then  a  G  enabled(/3(s ))  and  sym¬ 
metrically  ,8  G  enabled{a{s)) . 

•  Commutativity:  If  a,  (3  £  enabled{s)  then  a(/3(s))  =  /3(a(s)). 

The  enabledness  condition  expresses  the  fact  that  two  independent  tran¬ 
sitions  that  are  enabled  at  a  given  state  cannot  disable  each  other.  The 
commutativity  condition  states  that  the  execution  of  two  independent  tran¬ 
sitions  in  any  order  (which  is  guaranteed  to  be  possible  by  the  enabledness 
condition)  leads  to  the  same  state.  Two  transitions  that  are  independent  at 
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each  state  s  6  S  are  called  globally  independent.  In  the  following,  “indepen¬ 
dent”  implicitly  stands  for  “globally  independent” ,  unless  a  specific  state  is 
mentioned.  Two  transitions  are  called  dependent  (at  a  particular  state  or 
globally)  if  they  are  not  independent. 


Figure  2.2:  Independent  transitions 

The  independence  relation  can  be  pictorially  represented  using  a  diagram 
such  as  the  one  in  Figure  2.2,  which  depicts  a  simple  fragment  of  a  state 
transition  graph.  Transitions  a  and  j3  are  independent  in  state  s.  A  possible 
reduction  would  consider  only  the  execution  sequence  s  A  ^  4  elimi¬ 
nating  the  path  s  A  s2  A  s'.  However,  this  reduction  is  only  correct  if  the 
checked  property  cannot  distinguish  between  the  intermediate  states  si  and 
S'2 .  (Additional  conditions  for  the  correctness  of  the  reduction  are  needed, 
and  they  will  be  described  in  the  next  subsection.  For  instance,  eliminating 
one  of  these  states  may  prevent  the  exploration  of  its  successors,  which  may 
be  significant  for  verification.) 

The  definition  of  independence  given  here  requires  independent  transi¬ 
tions  not  to  disable  one  another.  However,  the  execution  of  a  transition  can 
enable  the  execution  of  another  one,  while  maintaining  independence.  The 
partial  order  reduction  literature  often  uses  a  more  restrictive  version  of  the 
enabledness  condition  that  requires  independent  transitions  to  neither  disable 
or  enable  one  another.  Specifically,  the  more  restrictive  condition  requires 
that  if  a  e  enabled(s),  then  /?  e  enabled(s)  iff  f3  €  enabled (a(s)),  together 
with  the  symmetric  condition  with  a  and  f3  reversed  (the  commutativity  con¬ 
dition  remains  the  same) .  In  the  stubborn  set  approach  of  Valmari  [Val90] 
the  less  restrictive  condition  is  consistently  used,  whereas  the  persistent  set 
method  of  Godefroid  et  al.  [God96]  is  defined  using  the  more  restrictive  con¬ 
dition.  The  papers  describing  the  approach  of  Peled  generally  use  the  more 
restrictive  condition,  save  for  [Pel94]  (revised  in  [Pel96a]  to  the  more  restric¬ 
tive  condition)  and  [HP94].  In  both  of  the  latter  cases,  reference  to  proofs 
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made  using  the  more  restrictive  condition  is  made.  In  the  following  we  use  the 
less  restrictive  condition  and  prove  that  it  is  sufficient  for  handling  LTL_x  • 
To  examine  what  it  means  for  a  specification  to  distinguish  between  two 
states,  we  introduce  a  second  key  notion,  that  of  transition  visibility.  Recall 
that  one  of  the  elements  of  the  state  transition  graph  is  the  labeling  function 
L  \  S  —>  V(AP)  which  assigns  to  each  state  a  set  of  atomic  propositions.  The 
specification  may  not  observe  all  atomic  propositions  in  AP:  let  AP'  C  AP 
be  the  subset  of  atomic  propositions  which  are  actually  used  in  the  formula. 
A  transition  a  is  called  invisible  with  respect  to  AP'  C  AP  if  its  execution 
between  any  two  states  does  not  change  the  labeling  with  atomic  propositions 
from  AP' .  Formally,  the  transition  a  £  T  is  invisible  with  respect  to  AP'  if 
for  any  two  states  s,  s'  £  S  with  s'  =  a(s)  we  have  L(s)  ft  AP'  =  L(s')  D  AP' . 
A  transition  is  called  visible  if  it  is  not  invisible.  Since  the  set  of  atomic 
propositions  with  respect  to  which  we  consider  visibility  is  typically  given 
by  the  specification,  in  the  following  we  will  use  the  terms  ‘Visible”  and 
“invisible”  without  referring  specifically  to  a  set  of  atomic  propositions  AP'. 


2.4  Conditions  for  Partial  Order  Reduction 

The  notions  of  independence  and  visibility  of  transitions  are  the  fundamental 
properties  taken  into  account  when  selecting  a  reduced  set  of  transitions  to 
explore  at  a  given  state.  The  selected  subset  of  transitions  should  be  small, 
in  order  to  facilitate  reduction.  However,  if  at  some  state  a  reduced  set 
of  transitions  cannot  be  found,  the  search  algorithm  is  safe  in  exploring  all 
enabled  transitions.  In  this  case,  if  ample(s)  =  enabled(s),  the  state  is  said 
to  be  fully  expanded. 

In  order  to  describe  the  most  general  reduction  conditions,  and  at  the 
same  time  facilitate  a  natural  proof  of  correctness,  the  reduced  sets  of  transi¬ 
tions  at  each  state  are  not  described  operationally  by  means  of  an  algorithm 
to  select  them.  Rather,  a  set  of  conditions  is  given  that  these  transitions 
must  satisfy  [Pel93].  Following  these  conditions,  algorithms  and  heuristics 
can  be  devised  that  actually  construct  an  ample  set  for  each  state.  Such 
algorithms  are  reviewed  in  a  later  section. 

The  first  trivial  condition  has  to  ensure  that  at  each  step  some  new  state 
can  be  explored  in  the  reduced  model  if  this  is  possible  in  the  original  model: 

CO  (Emptiness)  ample(s)  =  0  iff  enabled(s)  =  0. 

The  next  constraint  ensures  that  any  path  of  the  original  state  graph  can 
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be  transformed  into  a  path  of  the  reduced  model  by  commuting  independent 
transitions.  This  is  a  first  step  to  guarantee  that  the  reduced  model  will 
contain  a  representative  for  each  path  in  the  full  state  space. 

Cl  (Faithful  decomposition)  For  any  execution  sequence  s0  ^  si  •  •  • 
of  M,  and  for  any  k  G  N,  if  cp  ^  a,mple(s0)  for  0  <  i  <  k,  then  a*  is 
independent  of  any  transition  (3  G  ample(so)  for  0  <  i  <  k. 

In  other  words,  on  any  execution  sequence  of  the  original  model  start¬ 
ing  at  some  state  s,  no  transition  which  is  dependent  on  a  transition  from 
ample(s)  can  occur  before  some  transition  from  ample(s)  is  executed.  Since 
any  transition  in  enabled (s)  \  ample(s)  can  be  executed  from  s  in  the  original 
model,  this  implies  immediately  that  any  transition  which  is  not  in  ample(s) 
is  independent  from  any  transition  in  ample  (s).  This  property  has  been 
named  “faithful  decomposition”  in  [KP88],  since  the  set  of  enabled  transi¬ 
tions  at  any  state  s  is  partitioned  into  two  sets,  ample(s)  and  its  complement, 
and  neither  of  the  transitions  in  one  of  the  two  sets  can  affect  the  execution 
of  a  transition  in  the  other  set. 

Condition  Cl  is  used  to  show  that  for  any  execution  sequence  a  starting 
at  some  state  s0  in  the  original  model,  some  transition  in  ample(s0 )  can  be 
taken  without  disabling  any  of  the  transitions  in  the  given  sequence.  This 
in  turn,  can  be  used  as  an  inductive  argument  to  construct  an  execution 
sequence  in  the  reduced  state  model  from  each  execution  sequence  in  the 
original  model  (a  complete  proof  is  given  in  a  subsequent  section).  We  explain 
informally  why  this  condition  holds  and  give  a  complete  proof  in  a  later 
section.  If  the  first  transition  is  an  ample  transition,  au  G  ample(so),  the 
property  is  trivially  true.  The  following  two  cases  remain: 
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a  i  «fe- 


Figure  2.3:  Reordering  of  transitions  based  on  commutativity 


(a)  o  contains  some  transition  from  ample(so).  Let  the  first  such  transi¬ 
tion  be  (3  =  ak,  with  k  >  1.  By  condition  Cl,  a*,  G  ample (s0)  is 
independent  of  q0,  ■  ■  • ,  ak- i  and  commutes  with  all  these  transitions. 


22 


Thus,  the  transition  sequence  aka0ai . . .  ak- 1  can  be  executed  in  s0, 
leads  to  the  same  state  as  the  transition  sequence  a^a  i  . . .  ak.  and  can 
be  followed  from  this  state  by  the  remaining  suffix  ak  of  a. 

(b)  a  does  not  contain  any  transition  from  ample(so).  Let  /3  £  ample(so) 
be  an  arbitrary  transition.  By  condition  Cl,  (3  is  independent  from  all 
transitions  in  a.  Therefore,  if  s',  =  l3(so),  then  Qo  E  enabled(s'l),  and 
inductively  if  follows  that  the  entire  transition  sequence  ctoon  •  •  •  can 
be  executed  from  .s( . 

However,  the  fact  that  each  path  in  the  full  state  space  can  be  transformed 
into  a  path  which  includes  the  same  transitions  and  has  a  prefix  which  be¬ 
longs  to  the  reduced  model  is  not  sufficient  in  itself.  One  has  to  guarantee 
that  the  specification  is  not  affected,  by  ensuring  that  the  generated  path 
is  stuttering  equivalent  to  the  original  one.  This  aspect  is  handled  by  the 
following  condition: 

C2  (Visibility)  If  am,ple{s)  contains  a  visible  transition ,  then  the  state  s 
is  fully  expanded,  i.e..  ample(s)  —  enabled(s). 

We  explain  the  effect  of  this  condition  based  on  the  cases  (a)  and  (b) 
presented  for  condition  Cl.  In  case  (a),  since  olq  3  ample(so),  it,  follows 
that  state  So  is  not  fully  expanded  and  thus  all  transitions  from  it  must  be 
invisible.  If  we  denote  s\  =  ak{sj),  for  0  <  i  <  k  (cf.  Fig.  2.3  for  3  =  ak), 
then  we  have  L(.s,)  =  L(s').  Thus  the  two  state  sequences  so«i  . . .  sks'k  and 
soSos'j . . .  s'k_ ,  4  are  stuttering  equivalent,  since  a  one-to-one  correspondence 
of  labelings  exists  after  collapsing  sk  with  s'k  in  the  first  sequence  and  So 
with  ,S'q  in  the  second.  A  similar  argument  holds  in  case  (b).  Here  too,  3 
must  be  invisible,  and  after  collapsing  s0  and  s'0,  the  prefixes  S'oSi . . .  sk  and 
soSqSj  . . .  s'k  are  stuttering  equivalent  for  any  k. 

Note  that  one  of  the  possible  transformation  cases  described  for  condition 
Cl  (specifically,  the  second)  does  not  consume  any  transition  from  o  while 
generating  an  alternate  execution  sequence  in  the  reduced  state  model.  In¬ 
stead,  a  supplementary  transition  from  the  ample  set  of  the  current  state  is 
inserted.  It  is  possible  for  this  step  to  be  repeated  sufficiently  often,  so  that, 
the  inserted  ample  transitions  closes  a  cycle  in  the  state  space  of  the  reduced 
(and  original)  model  (see  Figure  2.4).  Then,  a  stuttering-equivalent  path 
for  a  will  not  be  generated,  since  the  transition  a0  will  never  be  explored, 
despite  remaining  continually  enabled  while  executing  the  ample  transitions. 
This  can  affect,  the  truth  value  of  the  specification,  since  «o  may  be  visible 
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or  lead  to  parts  of  the  state  space  which  are  not  explored  otherwise.  The 
following  condition  guarantees  that  no  transition  is  ignored  and  the  above 
case  does  not  occur: 


Figure  2.4:  Cycle-closing  condition 


C3  (Cycle  closing)  A  transition  which  is  enabled  in  every  state  of  a  cycle 
in  the  reduced  state  space  belongs  to  the  ample  set  of  some  state  on  the  cycle. 

The  conditions  for  partial  order  reduction  can  be  simplified  if  model 
checking  is  done  under  fairness  assumptions.  Typically,  the  verified  sys¬ 
tem  consists  of  multiple  processes,  and  the  usual  notion  of  fairness  states 
that  each  process  has  to  execute  infinitely  often.  Noting  that  two  transitions 
enabled  at  the  same  local  state  of  a  process  are  dependent,  this  notion  of 
fairness  implies  the  following  condition  [Pel94,  Pel96a] : 

F  If  a  transition  a  is  enabled  in  the  starting  state  s  of  an  execution 
sequence  a,  then  a  must  contain  either  a  or  a  transition  dependent  on  a. 

The  fairness  condition  F  ensures  precisely  that  case  (b)  discussed  above 
cannot  happen.  Indeed,  if  F  is  applied  to  a  £  ample(s),  then  a  must  contain 
either  a  or  some  transition  (3  dependent  on  it.  In  the  latter  case,  Cl  states 
that  some  transition  in  ample(s)  must  appear  in  a  before  (3.  In  either  case, 
a  contains  a  transition  from  ample(s).  In  [Pel96a],  the  visibility  condition 
C2  is  handled  by  including  visible  transitions  in  the  dependence  relation. 
Since  Cl  implies  that  an  ample  transition  is  independent  of  all  transitions 
outside  the  ample  set,  it  follows  that  an  ample  set  that  contains  one  visible 
transition  has  to  contain  all  of  them.  Thus,  condition  Cl  subsumes  C2  in 
this  case. 

This  completes  the  presentation  of  the  conditions  which  characterize  am¬ 
ple  sets.  It  can  be  shown  that  under  these  conditions,  the  constructed  reduced 
model  is  stuttering  equivalent  to  the  original  one.  In  the  next  section,  we  give 
a  new  proof  that  this  result  holds  even  if  we  use  the  less  restrictive  notion 
for  transition  independence  discussed  in  Section  2.3. 


24 


2.5  A  Proof  for  Partial  Order  Reduction 


The  correctness  proofs  for  the  ample  set  given  in  the  literature  employ  a 
restricted  definition  of  transition  independence,  which  requires  that  two  in¬ 
dependent  transitions  neither  disable  or  enable  one  another  at  any  state. 
However,  the  stubborn  set  method  of  Valmari  uses  the  less  restrictive  ver¬ 
sion  presented  in  Section  2.3,  which  considers  two  transitions  independent 
even  if  one  of  them  enables  the  other.  Godefroid  [God96]  presents  his  per¬ 
sistent  set  approach  using  the  more  restrictive  independence  condition,  but 
does  not  mention  in  his  comparison  to  ample  sets  and  stubborn  sets  whether 
this  difference  is  relevant  or  not. 

A  clear  statement  regarding  the  two  different  conditions  is  important, 
since  the  weaker  version  allows  the  selection  of  potentially  smaller  ample 
sets.  Moreover,  the  weak  version  also  forms  the  basis  for  existing  criteria 
and  heuristics  for  ample  set  selection  such  as  those  used  in  the  SPIN  model 
checker  [HP94],  In  the  following,  we  prove  the  the  correctness  of  ample  set  re¬ 
duction  for  LTL  _x  model  checking  using  the  weaker  independence  condition. 
An  alternative,  independent  proof  of  this  result  is  given  in  [CGP99]. 

We  prove  that  for  every  transition  sequence  a  in  the  original  state  transi¬ 
tion  graph  we  can  construct  a  stuttering  equivalent  sequence  o'  in  the  reduced 
model.  Let  o  =  s0  ^  si  ^  •  •  •  sn  ^  •  •  •  be  an  arbitrary  transition  sequence. 
Given  a  and  a  natural  number  i.  we  denote  by  <j<,  the  prefix  of  a  formed  by 
taking  the  first  i  transitions,  and  by  cr>i  the  remaining  suffix  of  the  transition 
sequence.  We  prove  by  induction  on  i  that  for  prefixes  of  a  with  length  i  >  0 
we  can  construct  a  sequence  o'^  of  length  j  >  0  which  is  stuttering  equiva¬ 
lent  to  a<i .  Moreover,  VA:  <  j  .  a'k  <E  a,mple(s'k),  i.e.,  cr<  •  is  a  finite  sequence 
of  transitions  which  can  be  taken  in  the  reduced  model.  In  the  course  of  the 
induction  proof,  we  will  refer  to  i  and  j  as  the  current  points  in  a  and  o', 
respectively.  At  each  point,  o'<t  will  contain  all  transitions  of  o<t  (in  some 
order),  with  two  possible  types  of  transitions  added: 

(i)  Ample  transitions  after  the  current  point  in  a  may  be  executed  earlier 
(before  the  current  point)  in  a ' .  The  finite  ordered  set  (sequence)  I  C  N 
contains  the  indices  of  transitions  beyond  the  current  point  i  in  a  that 
have  been  already  included  in  o' .  We  call  such  transitions  marked. 

(ii)  Additional  ample  transitions  may  be  inserted  in  o'  in  order  to  ensure 
that  it  is  a  legal  transition  sequence  in  the  reduced  model.  We  denote 
the  sequence  of  all  such  inserted  transitions  by  5. 
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Notation:  If  I  C  N  is  a  finite  increasingly  ordered  set  of  indices,  we 
denote  by  oj/  the  transition  sequence  obtained  by  selecting  from  a  the  tran¬ 
sitions  with  indexes  in  /  (in  the  given  order).  Similarly,  we  denote  by  a\j  the 
sequence  obtained  by  deleting  from  o  the  transitions  whose  indices  are  in  I 
(here  the  ordering  of  I  is  irrelevant). 

Our  induction  invariant  relates  o.  i,  a',  j.  I ,  and  8  as  follows: 

(a)  The  transition  sequence  cr<-  is  stuttering  equivalent  to  cr<,;.  In  partic¬ 
ular,  L(si)  =  L(Sj). 

(b)  If  k  e  /,  then  k  >  i  and  Qk  is  invisible  and  independent  of  ai,  for  all 
l  &  I,i  <  l  <  k.  (A  marked  transition  is  invisible  and  independent  of 
all  unmarked  transitions  past  the  current  point  in  a  but  preceding  it.) 

(c)  The  transition  sequence  (ctfc)  | A:  >  i,k  /,  obtained  from  the  suffix  a >, 
by  removing  marked  transitions,  is  enabled  in  s'-  in  the  original  model. 

(d)  Each  transition  in  8  is  invisible  and  independent  of  all  transitions  o^, 
V/c  >i,k  $  I  (all  unmarked  transitions  past  the  current  point  in  a). 

(e)  Si  s'.  That  is,  the  marked  transitions  (comprising  o\i)  together 
with  the  inserted  transitions  (comprising  8)  are  exactly  those  that  be¬ 
long  to  a'<3  but  not  to  a<i.  Their  sequence  is  enabled  in  s*  and  takes 
this  state  to  s'-. 

For  the  base  case,  choose  j  =  i  =  0,  s'0  =  sq,  I  =  0  and  8  =  e  (the 
empty  sequence).  All  parts  of  the  invariant  are  trivially  satisfied:  (a)  is  true 
because  both  transition  sequences  consist  of  just  the  same  initial  state,  (b) 
is  vacuously  true,  since  /  is  empty,  (c)  is  true  since  a  is  enabled  in  so,  (d)  is 
vacuously  true  since  8  is  empty,  and  (e)  is  true  since  both  a\j  =  8  —  e  and 
s0  =  «o- 

For  the  induction  step,  we  consider  the  following  cases: 

1 .  i  £  I .  (The  next  transition  in  a  is  marked.)  Let  i'  =  i  +  1  and  /'  = 
I  \{i}.  That  is,  we  advance  the  current  point  in  a  and  delete  a*  from 
the  set  of  marked  transitions,  since  it  is  now  before  the  current  point. 
Since  ai  is  invisible  according  to  (b),  we  have  L(si+ 1)  =  L(s*)  =  L(s'  ), 
which  maintains  (a).  Part  (b)  still  holds  since  no  transitions  are  added 
to  J,  and  ctj  is  no  longer  relevant  for  the  independence  condition  (since 
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i!  =  i  +  1).  For  parts  (c)  and  (d)  the  unmarked  sequence  of  transitions 
after  the  current  point  in  a  remains  the  same  (a7  is  no  longer  marked, 
but  it  is  now  before  the  current  point),  and  5  does  not  change  either. 
Finally,  i  =  min/,  so  a,  is  the  first  transition  in  cr|j,  therefore  (e)  can 

be  written  as  s,  ^4  si+1  ^  s'-,  the  last  part  of  which  is  exactly  (e) 
after  this  step. 


is  a  legal  transition  in  the  reduced 


2.  i  I  and  cr7  £  ample (s'j),  so  a 

model.  We  include  a-7  in  a ',  advance  both  counters  (/'  =  i  +  1 
j  +  1)  and  set  s'+1  =  a*  (s'-).  By  (b)  and  (d),  cq  is  independent  of 
all  transitions  in  o\i  and  5  and  therefore  commutes  with  them.  Since 


,f  = 


<r|/<5 


s'-  ^4  s'-+1,  it  follows  that  s7  -^4  s7+i  s'-+1,  which  proves  (e). 
Moreover,  L(s7+ 1)  =  L(sj+ 1),  so  (a)  is  preserved.  Part  (b)  is  preserved 
since  /  is  the  same  (?'  =  i  +  1  but  q:7  ^  /),  and  a,  no  longer  appears  in 
the  independence  condition.  The  transition  sequence  in  part  (c)  is  of 
the  form  a-,//  (with  (3  some  transition  string).  If  atl3  is  enabled  in  s'-, 


then  0  is  enabled  in  «7(s)) 
a,  no  longer  appears. 


u+i  ■ 


Finally,  part  (d)  is  weakened  since 


3.  i  /,  Q'i  &  ample(s'j),  and  3 k  >  i,k  ^  I,  such  that  a*.  £  ample(s'j). 
That  is,  a7  is  neither  marked  nor  ample,  but  there  is  an  ample  unmarked 
transition  a*-  later  in  the  sequence.  Let  k  be  the  smallest  such  index. 
We  mark  transition  a and  append  it  to  <r',  i.e.,  /'  =  lUk,  j'  =  j+1  and 
s'-+1  =  ak(s'j).  Because  ak  is  ample,  o-'<?/  is  a  legal  transition  sequence 
in  the  reduced  model.  Since  a,  0  ample ( s'- ) ,  s'  is  not  fully  expanded, 
and  a h  is  invisible  by  C2.  Thus  L(s'-+])  =  L(s'  )  =  L(sj),  and  (a)  still 
holds.  By  condition  Cl,  all  transitions  preceding  ak  in  u>7|/  (i.e.,  on 
with  i  <  l  <  k,l  £  I)  have  to  be  independent  of  ak ,  so  (b)  is  preserved. 
Independence  implies  commutativity,  so  ak  can  be  executed  as  first 
transition  of  cr>,|/  in  s'-,  and  the  remainder  of  this  sequence  remains 
enabled  in  s'-+1,  which  proves  (c).  Part  (d)  still  holds  since  S  is  the 
same,  and  there  is  one  less  unmarked  transition.  By  substituting  ak 
for  on  in  (b),  we  obtain  that  ak  commutes  with  all  marked  transitions 
which  occur  later  in  o,  and  because  of  (d)  it  also  commutes  with  the 

transitions  in  5.  Therefore,  since  V  —  I  U  k ,  s7  s'  ^  s'+1  implies 

Sj  ^  s'-+1  (with  ak  inserted  to  preserve  the  increasing  ordering  of  /') 
and  the  final  part  of  the  invariant  is  proved. 
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4.  I,  and  VA:  >i,k&  I,  ak  &  ample(Sj).  That  is,  there  is  no  remaining 
unmarked  transition  which  belongs  to  ample(sj).  We  need  to  insert 
an  ample  transition  so  a'  remains  a  legal  transition  sequence  in  the 
reduced  model.  Select  an  arbitrary  transition  3  6  amp/e(s'-)  and  let 
f  =  j+ 1,  s'-+1  =  /3(Sj).  We  also  append  ,6  to  the  sequence  of  transitions 
inserted  so  far,  S'  —  S/3.  Again,  since  s'-  is  not  fully  expanded,  (3  has 
to  be  invisible,  so  L(s'+1)  =  L(s'-)  =  L(si),  and  (a)  still  holds.  None 
of  the  variables  involved  in  (b)  changes.  Since  (3  is  independent  of 
all  transitions  in  (c)  remains  valid  as  well,  and  /3  can  also  be 

appended  to  S  without  violating  (d).  Finally,  s*  -4  s'-  —>  s'-+1,  therefore 

S{  s'-+1,  which  proves  (e). 

To  conclude  the  induction  proof,  we  note  that  only  a  finite  number  of 
steps  of  type  (3)  or  (4)  (for  which  the  current  point  in  a  is  not  advanced) 
can  be  taken  without  performing  either  (1)  or  (2).  Otherwise,  the  transition 
sequence  a’>:j  eventually  closes  a  cycle  on  which  transition  cq  is  always  enabled 
without  ever  belonging  to  an  ample  set,  which  contradicts  C3.  Therefore, 
after  a  finite  number  of  steps  either  (1)  or  (2)  must  be  performed,  which 
advances  the  current  point  in  a  by  1,  i'  =  i  +  1.  The  above  four  cases 
therefore  guarantee  a  finite  procedure  that  constructs  in  the  reduced  model 
a  stuttering  equivalent  prefix  for  a<i+i  starting  from  a  similar  prefix  for  a<{. 
We  also  note  that  since  every  transition  in  a<t  is  included  in  u'<j,  we  have 
i  <  j,  which  ensures  that  j  grows  unbounded  as  i  does.  By  induction,  a 
stuttering  equivalent  sequence  a'  exists  in  the  reduced  model  for  the  entire 
transition  sequence  a,  q.e.d. 

2.6  Calculating  Ample  Sets 

The  established  conditions  for  ample  set  reduction  do  not  directly  provide  an 
operational  procedure  that  effectively  determines  an  ample  set  of  transitions 
at  each  state.  To  apply  partial  order  reduction  in  practice,  a  procedure  which 
computes  ample  sets  has  to  be  devised.  On  one  hand,  this  procedure  must 
generate  ample  sets  that  are  small  enough  so  that  the  resulting  state  space  is 
significantly  smaller  than  the  original  one.  On  the  other  hand,  the  algorithm 
must  be  sufficiently  simple  so  that  it  can  be  implemented  easily,  without 
introducing  significant  overhead  and  slowing  down  verification.  This  section 
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reviews  some  selection  criteria  which  are  typically  employed  to  ensure  that 
each  of  the  given  conditions  is  satisfied. 

It  is  trivial  to  verify  that  the  ample  set  is  nonempty  (condition  CO). 
Likewise,  the  visibility  of  a  transition  is  immediately  determined,  and  thus 
for  condition  C2  it  suffices  to  examine  each  transition  in  turn.  In  fact,  in 
order  to  obtain  small  ample  sets,  a  single  invisible  transition  is  the  ideal  case. 

In  general,  it  is  much  more  difficult  however  to  check  condition  Cl.  First, 
this  condition  describes  a  property  of  ample  sets  in  terms  of  the  execution 
sequences  of  the  full  state-transition  graph,  and  the  principal  aim  of  the 
reduction  technique  is  to  avoid  constructing  this  graph  in  the  first  place. 
Furthermore,  the  execution  sequences  on  which  Cl  would  have  to  be  checked 
can  extend  arbitrarily  far  into  the  future,  up  to  the  occurrence  of  the  first 
ample  transition.  In  general,  checking  condition  Cl  is  at  least  as  hard  as 
checking  reachability  for  the  full  state  transition  graph,  as  has  been  shown 
in  [CGP99]. 

In  practice,  using  an  expensive  algorithm  that  can  verify  condition  Cl 
for  an  arbitrarily  chosen  set  of  ample  transitions  could  be  quite  expensive. 
Instead,  partial  order  verifiers  take  advantage  of  the  specific  system  structure 
to  generate  ample  sets  of  transitions  for  which  Cl  can  be  easily  guaranteed  to 
hold.  In  particular,  the  ample  set  selection  becomes  much  easier  in  the  typical 
case  when  the  system  is  described  as  a  composition  of  concurrent  processes. 
We  present  practical  conditions  that  can  be  used  for  concurrent  processes 
with  synchronous  communication,  a  model  which  also  forms  the  underlying 
control  structure  for  timed  automata,  and  discuss  how  the  introduction  of 
global  data  variables  affects  these  conditions. 

A  system  consists  in  this  case  of  a  set  of  processes ,  which  are  modeled  as 
state-transition  graphs.  Each  process  may  also  have  a  set  of  local  variables 
that  can  be  changed  only  by  transitions  performed  by  that  process.  Control 
states  and  local  variables  form  the  local  state  of  the  process,  and  the  product 
of  the  local  states  forms  the  global  state  of  the  system.  A  transition  that  only 
changes  the  control  state  and  local  variables  of  a  process  is  called  an  internal 
transition. 

In  the  synchronous  communication  model,  the  sender  and  the  receiver 
coordinate,  and  the  sending  and  receiving  transitions  occur  simultaneously. 
This  is  the  case,  for  example,  in  Communicating  Sequential  Processes  [Hoa95] 
and  in  the  rendezvous  model  of  ADA.  The  sending  and  receiving  transitions 
can  therefore  be  considered  as  a  common  transition  shared  by  the  two  pro¬ 
cesses.  We  call  such  a  transition  a  communication  transition.  Simultaneous 
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communication  between  more  than  two  processes  can  be  handled  in  the  same 
way.  Assume  that  all  transitions  in  the  system  are  either  local  or  communi¬ 
cation  transitions. 

Two  local  transitions,  each  belonging  to  a  distinct  process,  are  clearly 
independent,  since  the  execution  of  each  depends  only  on  the  local  state  of 
its  process  and  produces  changes  only  in  its  local  state.  Two  local  transitions 
enabled  from  the  same  state  of  one  process  are  dependent,  since  executing 
one  will  lead  to  a  different  local  state,  from  which  the  other  transition  is 
no  longer  enabled.  Consequently,  if  at  a  given  state,  an  ample  set  contains 
a  local  transition,  it  must  contain  all  other  enabled  local  transitions  of  the 
same  process. 

For  communication  transitions,  the  dependence  relation  is  more  complex. 
If  a  process  F  is  at  a  communication  point  (from  which  a  send  or  receive 
transition  can  be  executed),  the  corresponding  communication  transition  is 
said  to  be  locally  enabled  by  Pi.  More  precisely,  a  communication  transition 
between  two  processes  Pi  and  Pj  is  said  to  be  locally  enabled  by  Pj  at  state  s 
if  it  can  be  executed  from  some  state  s'  that  has  the  same  local  state  of  F  as 
s.  The  transition  is  only  enabled  globally  when  the  communication  partner 
of  Pi  is  also  at  its  corresponding  communication  point. 

Locally  enabled  transitions  must  be  considered  in  the  computation  of 
ample  sets  even  if  they  are  not  globally  enabled.  Consider  a  process  F  which 
has  two  outgoing  transitions  at  its  current  state:  a  local  transition  a  and  a 
locally  enabled  (but  globally  disabled)  communication  transition  /3  with  some 
other  process  Pj.  Including  only  the  enabled  local  transition  in  the  ample 
set  of  the  current  state  is  not  sufficient,  since  the  communication  transition 
(which  is  dependent  on  a ,  originating  at  the  same  state)  may  potentially 
become  enabled  if  F,  reaches  its  communication  point  after  executing  some 
local  transitions,  which  are  not  part  of  the  ample  set.  This  would  contradict 
condition  Cl. 

Consequently,  if  the  transitions  enabled  at  the  current  state  s  in  some 
process  F  are  included  in  the  ample  set  for  that  state,  so  must  be  all  en¬ 
abled  transitions  of  processes  Pj  whose  communication  transitions  with  F 
are  locally  enabled  in  Pi  at  state  s.  Taking  the  transitive  closure  of  this 
operation,  the  following  condition  is  obtained  (cf.  [Pel96b]): 

Let  ample(s)  be  the  set  of  all  transitions  enabled  at  s  in  some  set  of 
processes  V  with  the  following  property:  No  process  F  €  F  has  a  communi¬ 
cation  transition  locally  enabled  in  F  with  a  process  outside  of  V . 

In  practice,  the  rule  is  applied  by  first  selecting  a  single  process  as  a 


30 


member  of  V  and  then  repeatedly  adding  the  processes  that  communicate 
with  processes  in  V.  If  V  grows  to  include  all  processes,  the  state  is  fully 
expanded  and  no  reduction  is  obtained  at  that  state. 

Consider  now  the  case  where  the  model  is  augmented  to  include  global 
variables,  which  can  be  tested  by  boolean  guards  associated  to  transitions, 
and  assigned  as  an  effect  of  executing  a  transition.  The  dependence  relation 
now  has  to  take  global  variables  into  account.  If  readv(a)  and  writev(a ) 
denote  the  sets  of  global  variables  written  and  read  by  a  transition  a ,  then  two 
transitions  a  and  (3  in  separate  processes  are  still  independent  if  there  is  no 
read-write  or  write-write  conflict  between  them,  i.e.,  readv(a)  fl  writev(/3)  = 
readv(d)  fl  writev(alpha)  —  writev(a)  fl  writev(l3)  =  0  (cf.  [God96]). 

An  ample  set  can  be  determined  similarly  as  above  by  taking  into  account 
that  shared  variables  are  a  form  of  communication.  Thus,  a  transition  dis¬ 
abled  at  the  current  state  in  some  process  because  its  guard  is  not  satisfied 
may  become  enabled  if  a  global  variable  in  its  guard  is  modified  by  a  tran¬ 
sition  in  some  other  process  P3.  Hence,  one  can  choose  as  ample(s)  the  set 
of  all  transitions  enabled  at  s  in  some  set  of  processes  V  with  the  following 
property:  No  process  P,  £  V  has  a  communication  transition  locally  enabled 
in  Pi  with  a  process  outside  of  P  or  has  a  transition  whose  guard  reads  a 
global  variable  written  to  by  a  process  outside  of  V. 

The  above  conditions  take  a  conservative  approach  to  enforcing  condition 
Cl,  specifically  in  identifying  when  a  transition  may  become  enabled  by  a 
transition  from  some  other  process.  However,  a  more  detailed  analysis  can 
be  used  to  produce  smaller  ample  sets.  For  example,  it  is  possible  to  weaken 
the  condition  given  above  which  selects  a  set  of  processes  V.  It  is  safe  for 
a  process  from  V  to  have  a  locally  enabled  communication  transition  with 
a  process  outside  V  if  it  can  be  determined  that  this  communication  cannot 
actually  take  place  in  any  state  reachable  from  the  current  state. 

However,  checking  that  a  transition  is  disabled  in  the  future  on  any  path 
starting  from  a  given  state  is  again  as  hard  as  the  model  checking  problem 
itself.  To  avoid  this  problem,  one  can  use  an  analysis  procedure  which  is 
able  to  identify  some  of  the  transitions  that  can  no  longer  become  enabled 
starting  from  the  current  state,  rather  than  all  of  them.  To  achieve  this, 
one  can  perform  a  separate  reachability  analysis  for  each  process,  relying 
on  the  fact  that  a  single  process  has  a  much  smaller  state  space  than  the 
global  system.  For  the  synchronous  communication  case  discussed  above,  one 
would  check  whether  the  matching  communication  transition  can  be  reached 
in  the  other  process  starting  from  its  local  state,  assuming  conservatively 
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that  all  communication  transitions  with  other  processes  are  enabled  by  those 
processes.  In  the  case  of  s.ystems  containing  data  variables,  it  is  possible  to 
selectively  or  completely  abstract  away  their  values,  and  in  the  simplest  case 
perform  only  a  static  analysis  of  the  control  flow  graph  of  the  process. 

This  analysis  can  be  performed  in  a  preliminary  stage  of  the  reduction 
algorithm,  and  the  state  transition  graph  may  be  annotated  with  informa¬ 
tion  that  allows  both  the  selection  of  smaller  ample  sets,  and  their  faster 
computation  at  run-time,  thus  increasing  the  performance  of  partial  order 
reduction  both  in  terms  of  memory  requirements  and  execution  time. 


2.7  Other  Partial  Order  Reduction  Methods 

The  ample  set  approach  to  reduction,  as  well  as  the  related  methods  that 
use  stubborn  or  persistent  sets  generate  a  reduced  model  based  on  exploit¬ 
ing  information  about  the  structure  of  the  system,  about  enabled,  disabled 
and  independent  transitions.  A  different  technique,  the  sleep  set  method 
suggested  by  Godefroid  [God90]  for  detecting  deadlocks  exploits  instead  in¬ 
formation  about  the  past  of  the  search. 

One  potential  limitation  of  ample  sets  is  that  they  have  to  be  transitively 
closed  with  respect  to  dependency.  This  can  lead  to  ample  sets  that  contain 
pairs  of  independent  transitions,  simply  because  each  of  them  is  dependent 
on  some  other  transition  in  the  ample  set.  Since  all  transitions  from  an  ample 
set  are  explored,  the  algorithm  will  be  forced  to  consider  both  interleavings 
for  two  independent  transitions,  which  is  unnecessary  and  contrary  to  the 
initial  purpose  of  reduction. 

The  sleep  set  approach  addresses  this  problem  by  maintaining  for  each 
state  s  expanded  by  the  algorithm,  a  set  of  transitions  sleep (s).  This  set 
contains  the  transitions  which  do  not  have  to  be  explored  from  s.  Asa  state 
is  expanded,  all  transitions  explored  from  it  are  added  one  by  one  to  its 
sleep  set.  Part  of  these  transitions  are  inherited  by  the  successors  of  s  as 
follows:  If  transition  a  is  explored  from  state  s,  leading  to  state  s'  =  a(s),  all 
transitions  f3  €  sleep(s)  which  are  independent  of  a  are  added  to  sleep(s'). 
This  can  be  done  because  exploring  a  and  then  0  has  the  same  effect  as 
exploring  (3  followed  by  a,  and  f3  can  be  in  sleep (s)  for  two  reasons.  First,  (3 
did  not  need  to  be  explored  from  s,  and  thus  0  a  (and  hence  a, 8)  is  also  not 
needed.  Second,  f3  has  been  already  explored  from  s,  and  in  the  process  also 
the  sequence  0a.  Therefore,  the  equivalent  sequence  a0  is  no  longer  needed. 
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During  the  state  space  search,  sleep  sets  for  each  state  are  stored.  If  a 
state  is  reached  again  during  expansion,  a  new  sleep  set  is  calculated  for 
it,  and  is  compared  with  the  previous  value.  If  the  old  sleep  set  contains 
transitions  that  do  not  belong  to  the  new  sleep  set,  the  node  is  expanded 
again  with  a  sleep  set  which  is  the  intersection  of  the  new  and  the  old  sleep  set. 
This  ensures  that  if  a  state  is  reached  from  several  states,  enough  successors 
are  explored  in  all  cases. 

It  has  been  shown  [GW91]  that  the  sleep  set  and  persistent  set  reduction 
methods  are  orthogonal  and  hence  their  benefits  can  be  combined. 

A  conceptually  different  approach  to  partial  order  reduction  is  the  unfold¬ 
ing  technique  of  McMillan  [McM92,  McM95].  This  method  is  directly  based 
on  the  partial  order  model  of  execution  and  has  been  originally  defined  in  the 
context  of  Petri  nets.  In  this  approach,  a  structure  of  partially  ordered  local 
states  is  constructed,  with  the  order  between  events  representing  the  causal 
order  of  their  execution.  The  unfolding  algorithm  generates  a  representation 
of  the  checked  system  which  is  sometimes  called  an  event  structure.  It  thus 
avoids  generating  the  global  states  of  the  system  altogether.  The  original 
unfolding  algorithm  was  designed  for  deadlock  detection.  Subsequently,  ex¬ 
tensions  of  this  algorithm  were  developed  for  checking  different  properties, 
e.g.,  by  Esparza  [Esp94].  The  unfolding  technique  also  stands  at  the  basis 
of  some  partial  order  reduction  approaches  for  time  Petri  nets,  for  instance 
in  [Lil98,  BF99]. 

Since  partial  order  reduction  is  based  on  the  assumption  that  a  significant 
number  of  the  execution  traces  of  the  system  differ  only  in  the  ordering  of 
transitions,  it  is  not  a  technique  which  universally  leads  to  good  reduction  re¬ 
sults  for  all  types  of  systems.  Even  for  systems  where  partial  order  reduction 
is  efficient,  supplementary  benefits  can  still  be  obtained  by  employing  addi¬ 
tional  reduction  techniques.  However,  since  partial  order  reduction  implies 
significant  changes  in  the  model  checking  algorithm,  its  applicability  jointly 
with  other  methods  does  not  always  follow  in  a  straightforward  fashion. 

Partial  order  can  be  combined  with  on-the-fly  model  checking  [Kur94],  a 
method  in  which  the  reduced  state  space  is  generated  at  the  same  time  as  the 
search  for  counterexamples  that  falsify  the  checked  property.  Employing  this 
approach  can  result  in  significant  space  savings,  since  a  counterexample  may 
be  found  before  the  entire  (reduced)  state  graph  is  generated  [Pel94,  Val90] . 

Often,  concurrent  systems  contain  several  identical  components.  In  this 
case,  symmetry  can  provide  stronger,  supplementary  reduction  conditions. 
Partial  order  reduction  and  symmetry  have  been  combined  in  [EJP97]. 
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Symbolic  model  checking  [BCM+90,  McM93],  which  uses  BDDs  to  ef¬ 
ficiently  store  and  manipulate  sets  of  states,  has  had  a  significant  impact 
on  verification.  Though  mainly  used  for  synchronous  hardware  systems,  is 
performs  well  for  asynchronous  systems  as  well  and  is  thus  a  natural  can¬ 
didate  to  combine  with  partial  order  reduction.  One  method  for  the  joint 
use  of  these  techniques  was  suggested  in  [ABH+97],  using  a  reduction  based 
on  breadth  first  search  [CP96].  A  different  approach  to  combining  these 
methods,  based  on  a  static  generation  of  the  reduced  model  is  suggested 
in  [KLM+97,  KLM+98].  This  approach  is  presented  in  detail  in  the  next 
section. 


2.8  Static  Partial  Order  Reduction 

In  the  verification  literature,  partial  order  reduction  has  been  used  as  a 
method  for  verifying  mainly  asynchronous  concurrent  systems,  and  has  been 
traditionally  implemented  using  explicit-state  depth-first,  search.  On  the 
other  hand,  significant  advances  in  alleviating  the  state-space  explosion  prob¬ 
lem  have  been  obtained  using  symbolic  model  checking  [BCM+90,  McM93], 
which  uses  an  implicit  representation  of  the  state  space.  This  method  has 
shown  significant  benefits  especially  in  verification  of  synchronous  hardware 
systems.  It  appears  natural  to  investigate  whether  the  two  methods  can  be 
combined,  since  this  approach  offers  several  potential  benefits. 

First,  there  is  the  potential  of  combining  the  efficiency  gain  of  both  meth¬ 
ods:  partial  order  reduction  decreases  the  size  of  the  search  space,  whereas 
symbolic  techniques  can  further  offer  a  compact  representation  with  smaller 
amounts  of  memory  and  efficient  space  traversal  algorithms.  Second,  the 
combined  approach  could  exploit  the  advantages  of  the  individual  methods 
for  systems  that  comprise  components  from  the  application  domains  of  both 
methods:  asynchronous  hardware  or  mixed  hardware-software  systems.  Fur¬ 
thermore,  the  approach  could  be  extended  to  address  different  application 
domains. 

The  approach  to  partial  order  reduction  presented  here  has  been  devel¬ 
oped  in  a  team  working  on  a  hardware-software  co-verification  project  at 
Bell  Laboratories.  The  targeted  models  were  embedded  systems,  in  which 
the  software  was  written  in  SDL  [SDL93].  The  hardware  was  described  in  the 
automata-based  language  S/R  of  the  model  checker  COSPAN  [HK90],  which 
can  verify  synchronous  models  and  supports  as  an  option  BDD-based  sym- 
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bolic  search.  With  this  purpose  in  mind,  a  partial  order  reduction  procedure 
was  needed  that  satisfied  the  following  goals: 

•  The  reduction  method  should  work  efficiently  for  systems  that  are  com¬ 
posed  of  both  hardware  and  software.  In  particular,  it  should  be  usable 
in  conjunction  with  BDDs  and  symbolic  model  checking. 

•  The  reduction  algorithm  should  be  independent  of  the  type  of  search 
(e.g.,  depth-first  or  breadth-first  search). 

•  The  reduction  should  be  performed  as  much  as  possible  during  the 
generation  of  the  system  model. 

•  The  reduction  procedure  should  be  adaptable  to  existing  model  check¬ 
ing  tools  without  requiring  changes  to  their  search  engines. 

The  last  requirement  in  particular  was  important  not  only  in  the  initial 
setting  of  this  work,  where  an  existing  model  checker  had  to  be  used  as  back¬ 
end,  but  also  in  general.  Since  both  partial  order  reduction  algorithms  and 
model  checking  engines  are  quite  complex,  an  approach  which  completely  sep¬ 
arates  reduction  from  model  checking  greatly  increases  the  ease  of  applying 
reduction,  as  well  as  the  possibility  of  combining  it  with  other  optimizations 
brought  to  the  model  checking  engine. 

The  partial  order  reduction  approach  of  selecting  a  subset  of  the  enabled 
actions  from  each  state  to  generate  a  smaller  model  is  not  inherently  incom¬ 
patible  with  a  symbolic  BDD-based  search.  However,  model  checkers  that 
incorporate  partial  order  reduction  have  so  far  used  mostly  an  explicit  state 
depth-first  search,  since  this  approach  is  suggested  by  the  cycle-closing  con¬ 
dition  C3.  Recall  that  a  transition  which  is  enabled  in  every  state  of  a  cycle 
has  to  belong  to  the  ample  set  of  some  state  of  that  cycle  in  order  for  the  re¬ 
duction  to  be  correct.  The  stack  maintained  by  a  depth-first  search  provides 
an  easy  means  to  check  this  condition. 

Alternate  means  to  ensure  this  reduction  condition  have  been  suggested 
first  by  Holzmann  and  Peled  [HP94].  They  describe  a  static  implementation 
of  the  reduction  conditions  in  the  model  checker  SPIN  [Hol92].  However, 
despite  being  static,  this  approach  required  significant  changes  to  the  code  of 
the  SPIN  model  checker  in  order  to  control  its  backtracking  mechanism.  Sub¬ 
sequently,  Chou  and  Peled  [CP96],  as  a  by-product  to  giving  a  mechanized 
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proof  of  the  partial  order  reduction  conditions,  showed  that  the  cycle-closing 
condition  could  also  be  used  with  breadth-first  search. 

A  first  method  for  combining  partial  order  reduction  and  symbolic  model 
checking  using  BDDs  was  given  in  [ABH+97].  This  solution  uses  the  set  of 
reached  states  as  history  and  is  based  on  a  conservative  approximation  of 
when  a  cycle  may  be  closed  during  a  breadth-first  search.  Essentially,  when 
an  edge  connects  a  node  to  another  node  that  is  at  the  same  or  a  lower  level 
in  the  breadth-first  search,  it  is  assumed  to  close  a  cycle. 

The  static  partial  order  reduction  approach  presented  here  is  different  and 
more  general  in  that  all  the  information  needed  for  performing  the  partial 
order  reduction  is  obtained  during  a  compilation  of  the  system  model.  The 
partial  order  reduction  step  is  effectively  a  preprocessing  phase  that  takes 
a  system  description  and  modifies  it  such  that  only  a  reduced  number  of 
transitions  are  enabled  at  each  state,  corresponding  precisely  to  an  ample 
set.  The  resulting  model  is  still  described  in  the  same  input  language  as  the 
original  model  and  can  be  used  as  an  input  for  the  model  checker  without 
requiring  any  changes  to  it.  This  is  in  contrast  to  usual  partial  order  reduction 
algorithms,  which  are  applied  on  the  internal  representation  of  the  system 
used  by  the  model  checker  and  interact  with  its  search  algorithms.  It  is 
precisely  this  separation  of  the  reduction  step  that  allows  the  combination 
of  partial  order  reduction  with  BDD-based  algorithms  and,  in  general,  with 
any  optimization  technique  applied  by  the  model  checker. 

2.8.1  A  Modified  Cycle  Closing  Condition 

The  cycle  closing  condition  C3  guarantees  that  a  transition  which  is  enabled 
in  all  states  of  a  cycle  is  eventually  chosen  as  part  of  an  ample  set.  In  practice, 
a  slightly  stronger  condition  is  used,  which  states  that  at  least  one  state  on 
every  cycle  in  the  reduced  state  graph  is  fully  expanded.  This  formulation 
clearly  implies  C3,  since  a  transition  which  is  continuously  enabled  along  a 
cycle  will  be  explored  at  the  state  that  is  fully  expanded. 

Typically,  C3  is  ensured  during  depth-first  search  by  examining  the  suc¬ 
cessors  of  all  transitions  that  make  up  a  candidate  for  an  ample  set.  If  any  of 
these  states  has  not  been  completely  explored  yet  (i.e.,  is  still  on  the  search 
stack),  the  chosen  set  of  transitions  cannot  be  an  ample  set.  Another  candi¬ 
date  set  has  to  be  found  at  that  state,  or  the  state  has  to  be  fully  expanded. 

In  devising  a  new  means  to  enforce  the  cycle  closing  condition,  we  first 
observe  that  both  C2  and  C3  limit  the  extent  of  the  reduction:  they  define 
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cases  where  a  state  has  to  be  fully  expanded.  Moreover,  condition  C2  can 
help  to  ensure  C3:  on  a  cycle  which  contains  a  visible  transition.  C2  guaran¬ 
tees  that  the  originating  state  of  that  transition  is  fully  expanded,  and  hence 
the  cycle  also  satisfies  C3.  This  observation  suggests  that  C2  and  C3  can 
be  combined  into  a  single  condition  C2’: 

C2’  There  exists  a  set  of  transitions  Ts.  which  includes  all  visible  tran¬ 
sitions.  such  that  any  cycle  in  the  reduced  state  space  contains  a  transition 
from  Ts.  If  ample(s)  fl  Ts  ^  0,  then  ample (s )  =  enabled(s). 

In  other  words,  any  cycle  in  the  state  graph  of  Af  must  execute  at  least 
one  transition  from  Ts,  and  the  originating  states  of  any  transitions  in  Ts 
are  fully  expanded.  The  transitions  in  Ts  have  been  called  sticky  transitions, 
since  they  “stick”  to  all  other  transitions  which  are  enabled  at  the  same  state 
and  force  their  exploration. 

We  have  seen  in  Section  2.6  how  to  ensure  condition  Cl  statically  for 
systems  composed  of  communicating  processes.  It  remains  to  devise  a  proce¬ 
dure  that  determines  a  suitable  set  Ts  of  transitions  which  breaks  all  cycles 
in  the  reduced  state  space.  This  cannot  be  done  directly,  since  the  reduced 
state  space  itself  depends  on  which  transitions  are  chosen  for  exploration, 
and  implicitly  on  Ts.  However,  the  problem  can  be  reduced  to  a  simpler  one, 
by  observing  that  in  a  system  composed  of  multiple  processes,  each  cycle  in 
the  global  state  space  projects  to  a  cycle  in  each  of  the  component  processes. 
Conversely,  a  set  of  sticky  transitions  that  breaks  each  local  cycle  is  also 
guaranteed  to  break  each  global  cycle.  Thus,  it  is  sufficient  that  the  removal 
of  all  sticky  transitions  leave  all  component  processes  acyclic,  a  condition 
which  can  be  ensured  statically  and  locally,  without  constructing  the  state 
space  of  either  the  full  or  the  reduced  model. 

Thus,  condition  C2’  can  be  strengthened  to  the  following  formulation: 

C2”  There  exists  a  set  of  sticky  transitions  Ts  which  includes  all  visible 
transitions,  such  that  each  local  cycle  of  a  component  process  contains  at  least 
one  sticky  transition.  If  ample(s)  includes  a  sticky  transition,  then  s  is  fully 
expanded. 

Since  a  sticky  transition  forces  a  state  to  be  fully  expanded,  it  follows 
that  fewer  sticky  transitions  will  result  in  a  better  reduction.  It  is  important 
therefore  to  generate  a  small  set  Ts  of  sticky  transitions.  However,  as  with 
the  selection  of  ample  sets,  the  actual  efficiency  of  the  reduction  depends 
on  which  transition  are  chosen  to  be  sticky,  and  not  solely  on  the  number 
of  transitions.  Likewise,  it  is  important  that  the  set  of  sticky  transitions  be 
generated  with  a  small  overhead. 
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Assuming  that  a  set  of  sticky  transitions  has  been  selected,  a  useful  re¬ 
duction  strategy  is  to  attempt  at  each  state  to  find  an  ample  set  without 
including  a  sticky  transition,  in  order  to  postpone  the  full  expansion  of  a 
state  as  much  as  possible.  Eventually,  a  sticky  transition  has  to  be  selected, 
since  otherwise  no  cycle  can  be  closed,  and  the  current  state  is  expanded 
completely.  However,  it  is  likely  that  by  giving  priority  to  non-sticky  tran¬ 
sitions,  the  set  of  enabled  transitions  at  that  state  contains  many  sticky 
transitions  which  have  been  delayed  so  far.  Thus,  rather  than  having  each  of 
them  forcing  the  full  expansion  of  a  different  state,  only  one  state  needs  to 
be  expanded,  and  the  effect  of  having  many  sticky  transitions  is  compensated 
to  some  extent. 

Even  with  this  heuristic,  it  is  beneficial  to  generate  a  small  set  of  sticky 
transitions  in  the  first  place.  The  next  section  describes  how  this  can  be  done 
by  analyzing  the  effects  of  transitions  and  their  dependencies  to  determine 
potential  cycles  in  the  state  space.  The  procedure  given  in  this  section  marks 
transitions  in  order  to  satisfy  the  weaker  condition  C2’,  resorting  to  the 
stronger  condition  C2”  only  when  no  optimizations  can  be  made. 

2.8.2  Determining  Sticky  Transitions 

We  examine  the  common  case  of  a  system  with  a  control  structure  defined  by 
parallel  processes,  and  a  set  of  data  variables.  Consider  a  finite  state  system 
composed  of  processes  Pi,  P2,  •  •  • ,  Pn,  each  of  which  is  described  as  a  state- 
transition  graph,  also  called  process  control  graph.  In  addition,  the  system 
may  contain  a  set  V  of  variables  which  may  be  either  global  or  local  to  a 
process,  and  whose  value  may  be  changed  by  the  transitions  in  the  system. 
The  state  of  the  system  is  thus  composed  of  the  control  state  of  each  process, 
together  with  the  values  of  the  variables. 

Let  Tv  be  the  set  of  visible  transitions.  Following  condition  C2”,  it 
suffices  to  find  a  set  of  transitions  Ts  D  Tv,  such  that  all  process  control 
graphs  become  acyclic  when  the  transitions  from  Ts  are  removed.  Here,  the 
removal  of  a  transition  which  changes  the  state  in  several  processes  means 
the  removal  of  all  edges  that  are  projections  of  the  transition  in  the  process 
control  graphs.  After  first  removing  the  visible  transitions,  the  remainder  of 
each  process  control  graph  can  be  made  acyclic  in  linear  time  by  removing 
all  back  edges  in  a  depth-first  search.  Yet,  in  the  worst  case,  up  to  half  of  the 
edges  need  to  be  removed,  whereas  our  goal  is  to  keep  this  set  small.  For  the 
general  case,  a  somewhat  better  bound  on  the  number  of  edges  is  presented 
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in  [BS97],  and  [ELS93]  gives  a  simple  heuristic  algorithm  to  find  a  small  set  of 
such  edges  in  linear  time.  In  the  following,  we  exploit  the  semantic  structure 
of  the  system  in  order  to  obtain  a  small  set  of  sticky  transitions. 

As  a  preliminary  observation,  the  projection  of  any  global  cycle  onto  a 
process  control  graph  has  to  belong  to  some  strongly  connected  component 
of  the  control  graph.  Thus,  any  transitions  whose  projections  do  not  belong 
to  a  strongly  connected  component  can  be  ignored  in  the  following  analysis. 

The  key  observation  is  that  a  cycle  in  the  state  space  of  the  system  has 
not  only  to  restore  the  control  point  of  each  process,  but  also  the  value  of 
each  data  variable.  Assume  that  an  ordering  relation  -<v  is  defined  on  the 
domain  of  a  variable  v.  Then,  if  a  cycle  contains  a  transition  that  increases 
the  value  of  v  (with  respect  to  this  must  be  compensated  by  a  transition 
which  decreases  the  value  of  v. 

Consequently,  we  examine  the  effect,  of  a  transition  a  on  a  variable  v. 
If  it  can  be  established  statically  that  all  executions  of  a  increment  (or, 
respectively,  decrement)  v,  we  denote  effect(a.v)  —  +,  and,  respectively 
effect(a,v)  =  — .  If  a  always  leaves  v  unmodified,  we  denote  effect(a,v )  =  0. 
Finally,  if  the  effect  of  a  varies  from  one  execution  to  another,  or  cannot  be 
determined  statically,  we  denote  effect  (a,  v)  =  *. 

If  effect{a,v)  =  +,  define  Compensate^,  v )  =  {0  |  effect(0,v)  G  {—,*}} 
as  the  set  of  all  transitions  whose  effect  on  v  is  potentially  opposite  to 
that  of  a,  and  likewise  Compensate^,  v )  =  {0  \  effect (0,  v)  G  {+>*}}  for 
effect(a.v)  =  — .  It  follows  that  if  a  cycle  contains  a  transition  a,  it  also  has 
to  contain  at  least  one  transition  from  Compensate^,  v )  in  order  to  restore 
the  value  of  v. 

The  information  about  the  effects  of  transitions  on  variables  can  be  used 
to  remove  additional  edges  from  a  process  control  graph,  without  having  to 
mark  them  as  sticky,  thus  reducing  the  number  of  sticky  transitions  needed 
to  break  all  its  cycles.  First,  let  Tu  be  the  set  of  uncompensated  transitions 
a,  for  which  there  exists  a  variable  v  such  that  Compensate^,  v)  —  0.  Then 
a  cannot  belong  to  any  global  cycle  in  the  system  state  space,  since  no  other 
transition  can  restore  the  value  of  v.  Thus,  the  transitions  in  Tu  can  be 
removed  from  all  process  control  graphs. 

Second,  suppose  that  Handled  is  the  set  of  transitions  for  which  we  al¬ 
ready  know  that  any  global  cycle  containing  a  transition  from  this  set  will  also 
contain  a  sticky  transition.  For  instance,  this  is  trivially  true  if  Handled  is 
the  set  of  sticky  transitions  selected  so  far;  ultimately,  we  want  all  transitions 
to  be  in  Handled ,  which  would  guarantee  C2’.  For  a  transition  a ,  we  define 
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the  predicate  Covered{a.  Handled)  =  3v  €  V .  Compensate^,  v )  C  Handled. 
Then,  any  cycle  which  contains  a  transition  a  covered  by  Handled  will  also 
contain  a  transition  from  Handled  and  thus  a  sticky  transition.  Again,  ol 
can  be  removed  from  all  process  control  graphs  since  all  potential  cycles 
containing  a  already  contain  sticky  transitions. 

The  notions  and  properties  established  so  far  lead  to  the  following  al¬ 
gorithm  for  computing  a  set  Ts  of  sticky  transitions,  given  in  Figure  2.5: 


remove  Tu  and  Tv  from  all  process  control  graphs 
Handled  =  Ts  =  Tv 

for  all  strongly  connected  components  C  of  process  control  graphs 

a  =  c 

for  all  transitions  a  in  C 

if  Covered(a,  Handled)  then  C'  =  C'\  {a} 

Ts  =  TS  U  BackEdges(C') 

Handled  =  Handled  U  transitions (C) 
end 


Figure  2.5:  Algorithm  for  computing  sticky  sets 

Initially,  the  visible  and  uncompensated  transitions  are  removed  from  all 
process  control  graphs,  and  the  sets  of  handled  and  sticky  transitions  are 
initialized  with  all  visible  transitions.  Next,  we  consider  in  turn  the  strongly 
connected  components  of  all  process  control  graphs.  First,  we  compute  the 
set  of  transitions  which  always  belong  to  cycles  containing  transitions  handled 
so  far,  and  remove  them  from  the  strongly  connected  component  C.  Next, 
all  back  edges  of  the  resulting  graph  C'  are  found  and  marked  as  sticky.  At 
these  point,  any  cycle  with  a  transition  from  C  contains  a  sticky  transition, 
and  the  transitions  from  C  can  thus  be  included  in  Handled.  The  algorithm 
completes  when  all  strongly  connected  components  are  analyzed. 

2.8.3  Experimental  Evaluation 

Conceptually,  static  reduction  cannot  benefit  from  all  the  information  which 
is  available  to  a  dynamic  reduction  algorithm.  In  our  framework,  determining 
when  a  cycle  can  be  closed  in  the  global  state  space  is  based  on  a  conservative 
analysis  of  the  local  cycles  in  all  component  processes.  It  is  possible  that 
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transitions  are  marked  as  sticky  in  order  to  break  global  cycles  that  never 
actually  occur  during  the  execution  of  the  system.  In  comparison,  traditional 
dynamic  reduction  techniques  can  use  complete  state  information  as  well  as 
the  history  of  the  search  in  order  to  guide  the  selection  of  ample  transitions. 

A  first  evaluation  of  static  partial  order  reduction  is  reported  in  [KLM+98] 
after  implementing  static  partial  order  reduction  in  a  compiler  from  SDL  to 
S/R.  Several  typical  benchmarks  exhibiting  concurrency  have  been  analyzed, 
including  a  concurrent  sorting  algorithm,  a  leader  election  protocol  and  an 
asynchronous  tree  arbiter,  all  parameterized  with  various  numbers  of  pro¬ 
cesses.  The  results  reported  in  [KLM+98]  are  presented  here  in  Table  2.1. 
A  comparison  of  static  partial  order  reduction  with  the  traditional  dynamic 
algorithm,  using  explicit  state  search  in  both  cases,  has  shown  similar  per¬ 
formance  in  terms  of  the  resulting  state  space.  Thus,  in  practice  the  limited 
information  available  to  a  static  technique  does  not  lead  to  performance 
drawbacks  if  a  good  algorithm  for  selecting  sticky  transitions  is  employed. 


Experiments 

Number  of  states 

(no  reduction) 

(static  reduction) 

Concurrent  sort,  N  =  2 

191 

66 

Concurrent  sort,  N  =  3 

4903 

553 

Concurrent  sort,  N  =  4 

135329 

4163 

Concurrent  sort,  N  =  5 

3940720 

29541 

Leader  election,  N  =  2 

383 

L— 

O 

T - 1 

Leader  election,  N  —  3 

11068 

490 

Leader  election,  N  =  4 

537897 

3021 

Leader  election,  N  =  5 

26523000 

21856 

Tree  arbiter,  N  =  2 

73 

48 

Tree  arbiter,  N  =  4 

18247 

Tree  arbiter,  N  =  6 

3272700 

Table  2.1:  Experimental  Results 

The  same  examples  show,  as  expected,  that  for  small  examples,  a  symbolic 
search  on  the  statically  reduced  models  is  more  expensive  than  a  traditional 
explicit  search  with  partial  order  reduction,  and  also  more  expensive  than  a 
symbolic  search  with  no  reduction  at  all.  This  is  not  an  intrinsic  property  of 
static  partial  order  reduction.  It  simply  relates  to  the  fact  that  for  systems 
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which  are  trivial  to  analyze,  using  both  reduction  and  symbolic  representa¬ 
tion  are  optimizations  whose  overhead  does  not  pay  off.  The  characteristic 
profile  of  static  reduction  emerges  as  systems  with  a  larger  number  of  pro¬ 
cesses  are  analyzed.  As  the  state  space  increases,  the  symbolic  search  with 
partial  order  reduction  performs  better  than  the  symbolic  search  without 
reduction.  The  combined  use  of  both  techniques  enables  the  verification  of 
systems  which  are  too  large  to  be  handled  by  either  method  alone. 

Concluding,  the  main  advantage  of  static  partial  order  reduction  is  that 
it  can  be  performed  as  a  preprocessing  phase  prior  to  verification  and  hence 
is  completely  separate  from  the  model  checking  engine.  This  enables  a  more 
modular  construction  of  a  model  checking  environment,  and  specifically,  the 
use  of  partial  order  reduction  with  any  existing  model  checker.  As  a  resulting 
benefit,  the  performance  advantages  obtained  by  reducing  the  state  space 
can  be  combined  with  optimizations  specific  to  the  target  model  checker. 
In  particular,  results  show  that  partial  order  reduction  and  symbolic  model 
checking,  both  techniques  which  have  been  long  used  independently,  can  be 
combined,  extending  the  limits  of  automatic  verification. 
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Chapter  3 


Partial  Order  Reduction  for 
Timed  Automata 

3.1  Introduction 

Timed  automata,  originally  defined  by  Alur  and  Dill  [AD90]  are  a  widespread 
model  for  continuous-time  systems.  They  are  extensions  of  finite  state  au¬ 
tomata  with  constraints  on  timing  behavior.  The  underlying  state-transition 
graph  of  a  timed  automaton  is  augmented  with  a  set  of  continuous-time 
clocks.  Transitions  (and  in  some  variants  of  the  model,  states)  are  labeled 
with  clock  constraints  that  restrict  the  executions  of  the  system  in  time. 

The  introduction  of  continuous  time  significantly  increases  the  complexity 
of  the  verification  problem.  The  state  space  of  timed  automata  is  inherently 
uncountable,  but  can  be  reduced  to  a  finite  model.  The  first  such  method  is 
the  region  graph  construction  of  [ACD90],  however,  its  complexity  is  expo¬ 
nential  in  the  number  of  clocks  and  of  the  largest  constant  in  the  model.  A 
different  construction,  the  so-called  zone  automaton  model  is  based  on  per¬ 
forming  computations  on  clock  constraints  [Dil89].  Though  its  theoretical 
worst-case  complexity  is  not  lower,  it  has  proved  efficient  in  practice,  and 
has  been  used  by  a  number  of  real-time  verifiers  [NSY92,  Won94,  LPW95]. 
Among  the  systems  that  have  been  successfully  modeled  and  verified  using 
timed  automata  are  asynchronous  circuits,  communication  protocols,  auto¬ 
motive  and  manufacturing  systems. 

In  this  section,  we  show  how  to  improve  the  efficiency  of  model  check¬ 
ing  for  a  system  composed  of  timed  automata  using  partial  order  reduction. 
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First,  we  describe  our  model  and  related  approaches  to  partial  order  reduc¬ 
tion,  including  a  local-time  semantics  [BJLW98].  In  the  remainder  of  the 
section,  we  extend  this  approach.  We  show  that  the  local-time  semantics  can 
be  modified  to  preserve  the  truth  value  of  specifications  in  a  timed  extension 
of  next-time  free  LTL.  We  give  a  constructive  proof  that  the  resulting  model 
accepts  a  finite  quotient,  by  presenting  a  condition  for  the  equivalence  of  two 
local-time  zones,  which  forms  the  basis  for  a  state-space  search  algorithm. 
We  discuss  how  the  representation  of  time  zones  in  the  local-time  semantics 
can  be  improved,  and  how  to  select  ample  sets  of  transitions  for  partial  order 
reduction.  The  method  leads  to  efficiency  improvements  on  two  counts:  the 
local-time  model  has  as  effect  the  generation  of  fewer  time  zones,  whereas 
partial  order  reduction  leads  to  the  exploration  of  fewer  control  states. 

3.2  Timed  Automata 

3.2.1  Definition 

Timed  automata  use  a  global  and  continuous  notion  of  time.  The  clocks 
used  to  describe  a  timed  automaton  are  real-time  variables  that  evolve  at 
the  same  rate: 

Definition  1  (Clock;  clock  assignment)  A  clock  is  a  variable  over  the  set 
R+  of  nonnegative  reals.  Given  a  set  of  clocks  C  =  {xi,  x%y . . . ,  xn},  a  clock 
assignment  is  a  function  v  :  C  — >  R+  which  assigns  each  clock  a  nonnegative 
real  value.  The  set  of  clock  assignments  over  C  is  denoted  by  V(C). 

Definition  2  (Clock  constraint)  Let  C  be  a  finite  set  of  clocks.  A  clock 
constraint  over  C  is  a  formula  defined  by  the  following  grammar: 

ip  ::=  true  \  c<x\x^c\x  —  y  -<  c\ip  /\ip 
where  x,y  E  C  are  clocks,  c  e  Z  is  an  integer,  and  -<E  {<,<}.  The  first 
four  terms  on  the  right  hand  side  are  atomic  clock  constraints.  The  set  of 
clock  constraints  over  C  is  denoted  by  13(C). 

Since  a  constraint  is  a  conjunction  of  elementary  inequalities,  it  always 
represents  a  convex  region  in  the  space  of  clocks. 

Definition  3  (Timed  Automaton)  A  timed  automaton  is  represented  by  a 
tuple  A  =  ( S ,  S°,  C,  E,  /,  p),  where 
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•  S  is  a  finite  set  of  nodes  (also  called  control  states  or  locations) 

•  S°  C  S  is  the  set  of  initial  nodes 

•  C  is  a  finite  set  of  real-valued  non-negative  clocks 

•  E  C  Sx  B(C)  x  2C  xS  is  a  finite  set  of  edges.  Each  edge  e  =  ( s ,  ij>,  R,  s') 
has  a  clock  constraint  if  called  enabling  condition  and  a  set  R  C  C  of 
clocks  that  are  reset  on  traversing  the  edge 

•  I  :  S  —>  B(C)  associates  each  node  with  a  clock  constraint  called  the 
invariant  condition 

•  //,  :  S  V(AP)  is  a  function  labeling  each  node  with  atomic  proposi¬ 
tions  from  a  set  AP. 

The  clocks  of  a  timed  automaton  allow  the  expression  of  timing  prop¬ 
erties.  A  clock  that  is  reset  by  a  transition  can  be  subsequently  used  in  a 
timing  constraint,  allowing  a  reference  to  the  timepoint  when  that  transition 
was  taken.  An  enabling  condition  constrains  the  execution  of  a  transition, 
without  forcing  it  to  be  taken.  An  invariant  condition,  on  the  other  hand, 
allows  an  automaton  to  stay  at  a  certain  state  only  as  long  as  the  constraint 
is  satisfied. 

We  reason  about  systems  composed  of  several  timed  automata.  We  define 
a  general  parallel  composition  parameterized  by  a  synchronization  function: 

Definition  4  (Network  of  timed  automata)  Consider  the  timed  automata 
Aj  =  (Si,  Sf,C{,  Ei,  Ij,  fit)  for  1  <  i  <  n  and  a  synchronization  function 
f  ’■  n),=i(-E'j  U  {e})  — »  {0,1},  where  e  is  a  symbol  denoting  a  null  edge. 
The  network  of  timed  automata  ||  A2  ||  ...  ||  A„  is  a  timed  automaton 
A  =  (S,  S°,  C,  E,  I,  p),  where: 

•  S  =  Si  x  S-2  x  . . .  x  S„ 

•  S'°  =  S(  x  S)  X  ...  X  S) 

•  C  =  C\  U  C2  U  . . .  U  Cn  (it  is  assumed  that  C,  fl  Cj  =  0.  for  i  7^  j) 

•  E  contains  a  family  of  edges  ( called  a  transition )  for  each  tuple  of  edges 

with  f(e  1, . . . ,  en)  =  1.  The  edges  of  transition  a  have  if  =  f\ieactive(a) 
and  R  =  U i£actwe(a)  where  active(a)  =  {i  \  a  ^  e},  and  ei  = 
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(sj,  ipi,  Ri,  s'f).  The  components  Si  and  s'  of  the  edge  endpoints  are 
given  by  et  fori  G  active(a )  and  are  arbitrary ,  but  pairwise  equal  (sj  = 
s'j  G  Sj)  for  j  £  active  (a). 

•  J(s)  =  Ai=l  U{Si) 

•  fi(s)  =  U’Ll  h(si)  (it  is  assumed  that  the  sets  of  atomic  propositions 
APi  are  pairwise  disjoint). 

In  other  words,  a  transition  in  the  network  of  automata  corresponds  to  the 
synchronous  traversal  of  edges  in  several  of  the  component  automata.  The 
synchronization  function  determines  which  automata  execute  (the  active  set 
for  the  given  transition)  and  which  ones  remain  at  their  local  state  (those 
for  which  e,  =  e).  A  transition  whose  active  set  contains  more  than  one 
automaton  is  called  a  synchronization  transition,  otherwise  it  is  called  local. 
The  set  of  transitions  is  denoted  by  T. 

The  above  definition  allows  the  modeling  of  many  common  synchroniza¬ 
tion  paradigms.  For  instance,  to  model  CCS-t.ype  communication  one  can 
assume  that  the  edges  of  the  individual  automata  are  labeled  by  action  sym¬ 
bols,  and  choose  a  synchronization  function  which  has  value  1  for  tuples  which 
contain  a  pair  of  matching  communication  transitions,  and  e-transitions  oth¬ 
erwise.  Multi-way  synchronization  can  be  modeled  in  a  similar  fashion. 

3.2.2  Semantics 

Two  basic  operations  are  defined  on  clocks:  incrementing  and  resetting.  If 
v  G  V(C)  is  a  clock  assignment  and  d  G  R+  a  nonnegative  real  number,  then 
v  +  d  is  the  assignment  given  by  (v  +  d){x)  =  v(x)  +  d,  for  each  clock  x  G  C. 

Given  a  set  of  clocks  R  G  C,  v[R  i— ►  0]  denotes  the  clock  assignment  that 
agrees  with  v  for  all  clocks  in  C\R,  and  is  zero  for  all  clocks  x  G  R.  For  a 
clock  constraint  G  B{C)  and  a  clock  assignment  v  G  V(C),  denote  by  'fiy) 
the  truth  value  of  f)  for  the  clock  assignment  v. 

The  semantics  of  a  timed  automaton  can  be  defined  as  follows: 

Definition  5  (Semantics)  A  model  of  a  timed  automaton  is  a  state-transition 
graph  S(A)  =  (E,£0,— *),  where 

•  £  =  {(s,t/)  |  I(s)(v)}  is  the  set  of  states  whose  clock  assignment  satis¬ 
fies  the  node  invariant 
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•  E°  =  {(s°,Oc’)  |  s°  G  5°}  is  the  set  of  initial  states,  where  Oc  is  the 
dock  assignment  with  Oo(.r)  =  0.  for  all  x  G  C 

•  — >  is  the  transition  relation  defined  as  the  union  of  delay  (or  time) 
transitions  and  action  (or  event)  transitions  as  follows: 

(s,v)S  ( s,v  +  d )  ifde  R+  andl(s)(v  +  d')  holds  for  all  d'  G  [0  ,d] 

(s,  v)  A  (s'.  v[R  i — >  0])  /or  a  £  T  if  there  exists  an  edge  e  = 
(s,  f>,  R,  s')  G  a.  such  that  ip(v)  is  true  and  I(s')(v[R  0])  holds. 

In  other  words,  a  timed  state  in  the  model  is  a  pair  consisting  of  a  node 
and  a  clock  assignment  that  satisfies  the  location  invariant.  Transitions  are 
of  two  types:  a  delay  transition  is  caused  by  the  elapsing  of  time  in  the  same 
control  state,  if  the  invariant  condition  remains  satisfied  throughout.  An 
action  transition  can  be  executed  if  the  clock  assignment  satisfies  the  enabling 
condition.  The  clocks  in  the  set  R  associated  with  the  edge  are  reset,  whereas 
the  other  clocks  maintain  their  value  (the  transition  is  instantaneous).  The 
location  invariant  has  to  be  satisfied  in  the  resulting  state. 

Any  timed  automaton  can  be  transformed  into  an  equivalent  automaton 
whose  state  invariants  only  impose  upper  bounds  on  clocks,  i.e.,  are  composed 
of  constraints  of  the  form  x,  -<  c.  This  is  true  because  constraints  of  the  type 
Xi  —  Xj  -<  c  or  c  -<  Xi  cannot  be  falsified  by  the  passage  of  time  and  will 
remain  true  in  a  control  state  if  they  were  true  upon  entering  it: 

•  x.i  —  x.j  -<  c  (xj  +  d)  —  (; Xj  +  d)  -<  c.  for  all  d  £  R 

•  c  -<  Xi  =$>  c  -<  Xi  +  d,  for  all  d  G  R+ 

Therefore,  it  suffices  to  have  these  two  types  of  constraints  guaranteed  at 
the  execution  time  of  any  transition  entering  the  given  location.  Specifically, 
consider  the  edge  e  =  R.s').  The  conjuncts  discussed  above  can  be 

incorporated  into  the  enabling  condition  of  the  edge  by  splitting  the  invariant 
into  I  (s')  =  I ^ge  A I node  and  rewriting  the  enabling  condition  for  an  arbitrary 
clock  valuation  v  as  follows  (we  write  E[R  i— >  0]  for  the  clock  expression  E 
in  which  the  clocks  belonging  to  R  are  replaced  with  0): 

1p(v)  A  (ledge  A  I  node)  (^(R  1  *  0]) 

=  ^(v)  A  ledge (u[i?  0])  A  Inode M-R  0] ) 

=  lf(v)  A  (Iedge[R  >-*  0])(u)  A  Inode(v[R.  0]) 

=  (^  A  Iedge[R  0])(v)  A  Inode(v[R  0]) 
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The  new  enabling  condition  is  therefore  tp  A  Iedge  [R  ►  0],  and  the  new  in¬ 
variant  is  Inode •  We  assume  in  the  following  that  all  timed  automata  have 
been  transformed  to  observe  this  property. 

In  addition,  since  all  clock  constraints  are  conjunctions  and  therefore  con¬ 
vex,  the  invariant  holds  in  all  intermediate  states  of  a  delay  transition  if  it 
holds  at  the  endpoints.  Assuming  that  the  automaton  has  been  transformed 
as  above  (with  invariants  enforcing  only  upper  bounds  on  clocks),  the  invari¬ 
ant  only  needs  to  be  checked  in  the  resulting  state: 

(s,  v)  4-  (s,  v  +  d)  if  d  €  R+,  and  I(s)(v  +  d)  holds 

In  our  analysis  of  the  system,  we  will  observe  its  execution  traces,  defined 
as  follows: 

Definition  6  (Execution  trace)  An  execution  trace  of  a  timed  automaton 
is  a  finite  or  infinite  sequence  a  =  (s°,0c)  — *■  (s1,^1)  ( sk,vk )... 

starting  from  an  initial  location  s°  €  5°. 

We  denote  by  o(k)  —  (sk,  vk)  the  kth  state  on  the  trace  a,  by  ak  the  finite 
prefix  of  a  ending  at  (sk,  vk)  and  by  ak  the  suffix  of  a  starting  at  the  same 
state. 


3.3  The  model  checking  problem 

Verification  of  timed  automata  models  has  been  studied  in  several  contexts. 
The  Kronos  model  checker  [NSY92]  is  built  for  timed  versions  of  CTL  and 
of  the  modal  ^-calculus  [HNSY92].  Uppaal  [LPW95]  accepts  a  logic  for 
safety  and  bounded  liveness  properties  which  can  reference  values  of  clocks. 
However,  partial  order  approaches  have  been  so  far  restricted  to  less  expres¬ 
sive  properties:  Pagani  [Pag96,  Pag97]  addresses  the  problem  of  deadlock 
detection,  whereas  Bengtsson  et  al.  [B  JLW98]  check  local  reachability  within 
one  process. 

We  propose  to  use  an  extension  of  LTL  that  also  allows  atomic  time 
constraints  to  be  used  in  place  of  atomic  propositions.  The  logic  is  inspired 
from  the  timed  temporal  logic  for  nets  (TNL)  of  Yoneda  et  al.  [YSSC93], 
which  was  defined  and  used  in  the  context  of  Petri  nets.  The  inclusion  of 
atomic  time  constraints  in  the  logic  allows  the  real-time  aspect  of  the  system 
to  be  captured:  comparing  the  difference  of  two  clocks  that  are  reset  by  two 
transitions  permits  reasoning  about  the  time  separation  of  the  corresponding 
two  events. 
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The  formulas  of  our  logic,  which  we  will  call  LTLa,  are  defined  as  follows: 

•  an  atomic  formula  pa  is  an  atomic  proposition  p  £  AP  or  an  atomic 
clock  constraint  x  —  y  -<  c,  where  x.y  £  C,  c  £  Z  and  -<£  {<,  <} 

•  if  < pi  and  p-2  are  formulas,  then  -'pi,  p\  A  p2  and  pi  U  P2  are  formulas. 

To  maintain  the  correspondence  with  untimed  systems,  we  will  define  the 
semantics  of  LTLa  only  for  infinite  execution  paths  on  which  time  diverges, 
i.e.,  for  which  the  sum  of  delays  is  infinite.  This  means  disallowing  Zeno 
paths,  on  which  an  infinite  number  of  transitions  is  taken  in  a  finite  amount 
of  time. 

Definition  7  (Semantics  of  logic)  For  an  infinite,  time- divergent  execution 
trace  a  =  (a0,u°)  — >  (s1,^1)  — >  ...  — >  ( sk,vk )  —>  ....  the  semantics  of  an 
LTL/\  formula  is  defined  as  follows: 

•  (s,v)  \=piffpe  ti(s) 

•  (s,  v )  \=  x  —  y  ■<  c  iff  v(x)  -  v(y )  -<  c. 

•  a  |=  <pa  iff  (pa  is  an  atomic  formula  and  (s°,  v°)  |=  <pa 

•  a  |=  ~^p  iff  not  a  \=  <p 

•  o  (=  p\  A  p-2  iff  cr  |=  tpi  and  a  \=  p-2 

•  a  |=  tpi  U  p-2  iff  there  3 k  >  0  such  that  ak  |=  p2  and  o i  \=  p\  for  all 
0  <j<k 

For  a  delay  transition  (s,v)  ^  (s,v  +  d),  the  automaton  passes  through 
the  continuous  sequence  of  intermediate  states  (s,  v  +  d!)  with  0  <  d'  <  d. 
Since  both  control  state  and  clock  differences  are  preserved  in  each  of  these 
intermediate  states  (for  any  two  clocks  x,y  £  C  we  have  v(x)  —  v(y)  -<  c 
(v  +  d')(x)  —  (v  +  d')(y)  A  c,  for  all  d'  £  [0,  d}),  they  have  the  same  truth  value 
for  all  atomic  subformulas  of  a  formula  in  LTLa-  Thus,  the  given  semantics 
of  LTLa  (considering  truth  values  at  transition  endpoints)  corresponds  to 
the  intuitive  meaning  of  continuous  execution. 
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3.3.1  Effect  of  transition  interleavings 

The  traditional  reachability  analysis  algorithm  for  networks  of  timed  au¬ 
tomata  explores  all  possible  transition  interleavings  among  the  individual 
components.  A  partial  order  method  would  select  a  representative  from  each 
set  of  equivalent  interleavings,  exploring  only  a  reduced  portion  of  the  state 
space.  However,  in  the  given  model,  clocks  advance  simultaneously  in  all  au¬ 
tomata,  causing  dependencies  between  transitions  in  individual  components. 
Different  interleavings  may  therefore  produce  different  assignments  to  clock 
values.  The  following  simple  example  illustrates  this  problem. 

Consider  the  system  of  two  automata  in  Figure  3.1.  The  initial  state  is 
given  by  ((ri,Si),x  =  y).  From  there,  if  transition  a  is  executed  first,  the 
system  reaches  the  state  ({r2,  Si),x  <  y)  (clock  x  is  reset  on  executing  the 
transition,  so  its  value  will  not  exceed  that  of  ?/).  Subsequently,  on  executing 
b.  clock  y  is  reset,  resulting  in  the  state  {{r2,  s2),  x  >  y).  On  the  other  hand, 
if  b  is  executed  first,  the  system  reaches  the  state  ({ri,s2),x  >  y),  and  then, 
after  executing  a.  the  state  ((r2,  .sq),  x  <  y). 


Figure  3.1:  Effect  of  transition  interleavings 

The  two  interleavings  lead  to  the  same  control  state,  but  to  different  clock 
zones  and  therefore  different  states  in  the  zone  automaton.  Thus,  the  two 
transitions  are  not  independent  and  the  partial  order  reduction  techniques 
developed  for  untimed  systems  cannot  be  applied  in  this  case. 

Note  that  after  executing  both  transitions  in  either  interleaving,  the  sys¬ 
tem  state  belongs  to  the  union  of  the  two  zones,  ((r2,  S2),  x  >yV  x  <y)  = 
((r 2 ,  s2),  true).  If  the  verified  property  is  insensitive  to  the  relative  ordering 
of  x  and  y,  the  two  interleavings  are  still  equivalent.  In  such  cases,  a  partial 
order  reduction  procedure  should  produce  a  zone  containing  the  timed  states 
reachable  by  all  transition  interleavings,  while  exploring  only  one  interleav¬ 
ing,  and  thus  fewer  states. 
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3.4  Related  Work 


Partial  order  reduction  techniques  have  been  first  investigated  in  the  context 
of  timed  Petri  nets  by  Yoneda,  Schlingloff  et,  al.  [YSSC93,  YS97].  Their 
model  has  earliest  and  latest  firing  times  associated  with  transitions  and  is 
thus  less  expressive  than  timed  automata.  For  specifications,  they  defined 
an  expressive  timed  extension  of  next-time  free  LTL,  which  is  the  source 
for  our  logic  LTL A .  Their  reduction  method  is  based  on  stubborn  sets,  and 
they  show  that  only  the  transitions  in  the  reduced  set  chosen  for  exploration 
need  to  be  ordered  in  time.  Lilius  [Lil98]  suggests  an  improvement  where  the 
transition  firing  order  need  not  be  stored  in  the  timed  state.  This  reduces 
the  complexity  of  the  timing  constraints  and  the  branching  in  the  generated 
graph.  He  also  shows  how  the  unfolding  prefix  of  McMillan  [McM95]  can  be 
used  to  select  reduced  sets  of  transitions  for  exploration. 

For  timed  automata,  the  first  approach  to  partial  order  reduction  appears 
to  be  the  work  of  Pagani  [Pag96,  Pag97].  Her  thesis  analyzes  the  dependence 
relation  between  transitions  in  a  network  of  timed  automata  and  the  cases 
when  partial  order  reduction  can  be  applied.  We  briefly  present  the  main 
results,  in  order  to  illustrate  the  issues  that  restrict  the  application  of  partial 
order  reduction  for  this  timed  model.  Pagani  observes  that  there  are  the 
following  elementary  dependence  cases  among  action  and  delay  transitions: 

•  A  disables  A  if  there  exists  a  state  ( s ,  v)  and  t  G  R+  such  that  A  is 
enabled  in  ( s ,  v)  but  not  in  (s,  v  +  t)  . 

•  A  enables  A  if  there  exists  a  state  (s,  v)  and  t  G  R+  such  that  A  is 
not  enabled  in  ( s ,  v)  but  is  enabled  in  (s,  v  +  t)  . 

•  A  disables  A  if  there  exists  a  state  ( s ,  v)  and  t  G  R+  such  that  time  t 
can  pass  in  (s,v)  but  not  in  (s',v)  (where  s  A  s'). 

•  A  enables  A  if  there  exists  a  state  (s,  v)  and  t  G  R+  such  that  time  t 
cannot  pass  in  (s,c)  but  can  pass  in  (s',  v)  (where  s  A  s'). 

The  above  elementary  relations  induce  dependence  relations  between  the 
transitions  of  the  zone  automaton,  which  model  the  joint  effect  of  action  and 
delay  transitions.  Pagani  identifies  seven  dependence  cases  for  transitions 
occurring  in  different  component  automata.  One  of  these  cases  can  be  dis¬ 
missed  by  using  the  weaker  notion  of  independence  which  allows  transitions 
to  enable  one  another.  The  remaining  dependences  cases  are  as  follows: 
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1.  enables  and  disables 

2.  ^  enables  A  and  disables 

3.  i?a  t £  0  and  i?6  ^  0. 

4.  jRa  7^  0  and  enables  -V 

5.  i?a  7^  0  and  disables  -h>. 

6.  jRa  ^  0  and  disables 


Case  5: 


Figure  3.2:  Dependent  transitions  in  the  zone  automaton 


The  first  two  cases  in  the  definition  above  violate  the  enabledness  condi¬ 
tion  of  independence,  whereas  the  last  four  cases  violate  the  commutativity 
requirement.  For  instance,  in  case  (1)  it  may  be  possible  to  execute  — *•  and 
after  some  time  A,  but  if  A  is  executed  first,  the  amount  of  time  that  needs 

to  pass  may  disable  In  case  (3)  (discussed  in  the  previous  section),  the 
relative  value  of  the  clocks  in  Ra  and  Rb  will  depend  on  the  order  in  which 
they  were  reset,  i.e.,  on  the  execution  order  of  A  and  In  case  (5),  if 

is  executed  after  A,  the  relative  difference  between  x  and  y  is  limited  as 
a  consequence.  Thus,  the  set  of  timed  states  reached  after  one  interleaving 
includes  all  states  reached  when  the  other  interleaving  is  executed.  Overall, 
the  analysis  of  Pagani  shows  that  the  number  of  independent  transitions  is 
significantly  reduced  by  timing. 

The  approach  of  Dams  et  al.  [DGKK98]  eliminates  some  of  these  depen¬ 
dencies  by  using  the  asymmetric  notion  of  covering  instead  of  independence. 
A  transition  b  covers  a  transition  a  if  all  timed  states  reached  by  executing 
A  followed  by  can  be  reached  by  executing  — >  and  then  A,  such  as  in  case 
(5)  depicted  above.  Thus,  to  account  for  all  the  states,  it  is  still  sufficient  to 
choose  just  one  interleaving,  but  while  for  independent  transitions  the  choice 
is  irrelevant,  here  the  covering  transition  needs  to  be  explored  first.  However, 
the  approach  is  limited  to  the  situation  where  the  covering  transition  does 
not  reset  any  clocks. 

Belluomini  and  Myers  [BM98]  also  use  a  model  with  lower  and  upper 
time  bounds  associated  to  transitions.  They  use  partially  ordered  sets  of 
events,  thus  generating  typically  a  single  timed  state  for  each  control  state. 
However,  the  full  set  of  control  states  is  still  explored. 

Bosnacki  and  Dams  [BD98]  describe  an  extension  of  the  Spin  model 
checker  with  discrete  time,  which  is  compatible  with  the  original  partial  or¬ 
der  reduction  algorithms.  The  result  follows  from  the  restrictions  imposed  on 
the  timing  extensions:  clocks  cannot  be  used  in  specifications,  and  passage 
of  time  is  possible  only  if  no  other  transitions  are  enabled. 

The  approach  on  which  we  draw  most  is  that  of  Bengtsson,  Jonsson, 
Lilius  and  Wang  [BJLW98].  They  define  a  local-time  semantics  based  on 
desynchronized  execution  of  the  component  automata  and  local  time  delays, 
with  additional  reference  clocks  to  model  synchronization.  In  this  model  the 
same  independence  conditions  as  in  the  untimed  case  apply,  and  an  algorithm 
is  given  to  decide  the  reachability  of  a  local  control  state. 
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3.5  A  local  time  model 


In  this  section  we  revisit  the  local  time  model  of  Bengtsson  et  al.  [BJLW98] 
using  a  somewhat  different  notation  and  prove  several  results  which  underlie 
its  use  for  model  checking. 

To  analyze  the  causes  of  dependence  among  transitions  in  a  network  of 
timed  automata,  consider  the  effects  of  action  and  delay  transitions  in  each 
component  automaton.  From  the  definition  of  parallel  composition  one  can 
see  that  the  enabling  of  an  action  transition  and  the  resulting  state  change 
only  depend  on  the  state  of  the  automata  in  its  active  set.  Moreover,  the 
states  in  the  other  automata  are  not  changed  by  the  transition.  Conse¬ 
quently,  two  action  transitions  involving  two  disjoint  sets  of  automata  are 
independent,  just  as  for  composition  of  untimed  systems. 

On  the  other  hand,  a  delay  transition  changes  the  state  in  all  automata 
by  incrementing  the  values  of  all  clocks  (and  is  henceforth  called  a  global 
delay  transition).  It  becomes  therefore  dependent  on  any  action  transition 
that  also  changes  clock  values  (for  which  R  ^  0).  However,  one  can  view  a 
global  delay  transition  as  a  set  of  simultaneous  transitions  with  equal  delay  in 
all  component  automata.  This  suggests  that  time-induced  dependencies  can 
be  removed  by  separating  a  global  delay  transition  into  individual  transitions 
for  each  component  automaton,  without  requiring  their  simultaneity.  To  this 
effect,  local  passage  of  time  is  introduced  as  follows: 

Let  v  G  V(C  ')  be  a  clock  valuation.  For  d  €1  R  and  i  €  1,  n,  define  the  clock 
valuation  v+id  by:  ( v  +,  d){x)  —  v(x)  -I-  d  for  x  G  Ci  and  ( v  +id)(x )  =  v(x) 
otherwise. 

d 

A  local  delay  transition  --y  increments  only  the  clocks  in  automaton  At. 
We  associate  such  a  transition  with  a  pair  (d,  i)  €  7a  =  R+  x  l,n,  define 
a  ctive  ('if  i)  —  {  ?:}  and  denote  by  %  =  T  U  7a  the  set  of  action  and  local 
delay  transitions  of  A.  For  i  €  1  ,n,  define  the  functions  delay i  :  %  c-~  R+ 
as  follows:  delayi('i.i)  =  d,  delay^-itj)  =  0  for  i  ^  j,  and  delay *(—»■)  =  0 
for  a  e  T.  They  indicate  the  delay  caused  by  a  transition  in  a  component 
automaton. 

Definition  8  (Local  time  model)  The  local  time  model  C(A)  for  a  network 
of  timed  automata  A  =  Ai  ||  A2  ||  . . .  ||  An  is  a  state-transition  graph 
with  state  set  E,  initial  state  set  E°  and  execution  traces  a  =  (s°,v°)  -A 
(s1,?/1)...  (sk,vk)...  starting  from  a  state  (s°,v°)  €  E°  and  satisfying 

one  of  the  following  conditions  for  any  k  >  1: 
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•  Tk  =  ( d,i )  e  7a  .  sk  =  sk  1 .  vk  =  vk  1  +j  d.  and  Ij(sk)(vk  1  +  <f)  holds, 
for  all  d!  €  [0,  d] .  or 

•  rk  G  T.  (sfc_1,ufe_1)  3.  (sk,vk).  and  YiZi  delay  fin)  =  YaZI  delay  fin) 
for  all  i,j  £  active  (n) 

In  the  first,  case,  automaton  A,-  takes  a  local  delay  transition,  denoted  by 
(sk~  1,vk~1)  'Zi  (sk,vk).  The  second  case  corresponds  to  an  action  transition 
(sk~\vk~r)  (sk,vk),  with  the  additional  constraint  that  the  elapsed  time 
(the  sum  of  delays)  is  identical  for  all  automata  in  the  active  set.  (For  a  local 
action  transition,  with  only  one  active  automaton,  this  additional  constraint 
is  void).  In  both  cases,  a  transition  rk  that  satisfies  the  given  conditions  is 
said  to  be  enabled  after  the  execution  of  ak- 1-  Denote  by  enabled(cr)  and 
enabled*  (a)  the  set  of  transitions  and  transition  sequences,  respectively,  that 
can  follow  a  finite  trace  a. 

For  a  finite  execution  trace  a  =  (s°,u°)  A  (s1,?;1)...  (s,v),  let 

time  jin)  —  t0  +  Xw=i  delay  ,(r/)  where  t0  £  K+  is  an  arbitrary  value  de¬ 
noting  the  timepoint  at  which  the  execution  of  a  starts.  Then,  timei(a)  (or 
simply  timei ,  when  a  is  understood  from  the  context)  denotes  the  timepoint 
reached  in  Aj  after  executing  the  transitions  in  a.  The  local  configuration 
of  Ai  reached  by  a  is  the  tuple  cfgfo)  =  (.s,,  vu  timef),  where  vt  is  the  re¬ 
striction  of  v  to  the  clocks  of  Aj.  The  global  configuration  of  A  is  the  tuple 
cfdW)  =  (c/jq(<7),  cfg2(a ), . . . ,  cfgn(o)),  also  written  as  cfg(o)  =  (s,v,  time ) 
with  time  =  (timei,  time 2, . . . ,  timen).  The  set  of  all  configurations  is  then 
E(7  =  E  x  (R+)n. 

The  definition  of  the  local  time  model  expresses  the  enabling  of  an  action 
transition  in  terms  of  the  trace  executed  so  far.  The  following  proposition 
shows  that  a  configuration  contains  sufficient  information  to  completely  de¬ 
termine  the  subsequently  enabled  transitions. 

Proposition  1  The  following  properties  hold  in  the  local  time  model  C(A) 
for  finite  execution  traces  a  and  a'  and  transition  r  €  enabled  (a): 

•  if  cfgfio)  =  cfgfia1)  for  all  i  e  active(r ),  then  r  €  enabled(a')  and 
cfSi{aT)  =  cf9i(a'T)  for  aU  i  e  active(r ) 

•  cfyj((7T)  —  cf9j(a)  for  3  active(r),  where  ar  denotes  the  trace 
obtained  by  extending  a  with  the  transition  r. 
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Proof:  For  the  first  part  of  the  proposition  it  suffices  to  show  that  the  en¬ 
abledness  of  a  transition  and  its  effect  depend  only  on  the  local  configurations 
of  the  automata  in  its  active  set.  For  a  local  delay  transition  A,  in  automa¬ 
ton  Ai,  its  enabledness  is  a  function  only  of  the  local  invariant  in  state  st  and 
the  clock  valuation  v{.  The  only  state  change  is  the  increment  of  valuation 
Vi  by  d,  which  is  again  independent  of  other  components. 

For  an  action  transition  (s,  v)  A  (s',v'),  the  definition  of  parallel  com¬ 
position  implies  that  its  enabledness  in  <S(A)  depends  on  the  local  states 
( Si,  Vi )  and  the  invariants  of  s'  for  i  G  active(a).  For  C(A),  the  additional 
constraint  is  written  as  timei(o)  =  time j  {a )  for  i.j  G  active  (a),  which  also 
depends  only  on  cfgfo)  for  i  G  active  (a).  The  state  change  is  a  function  of 
the  local  state  only:  for  i  G  active  (a),  s'  is  given  by  the  edge  (si,  ipi,  A  -  fi'l) 
in  automaton  A{,  and  v\  =  vfRi  i— >  0].  For  j  £  active(a),  we  have  s'  =  Sj  by 
definition  and  u'  =  Vj  since  no  clocks  in  A:j  are  reset. 

Finally,  for  the  time  component,  we  have  time^ar)  =  timet{o)  +  delay  fr ) 
for  all  i  G  l,n.  Therefore  timei(a)  =  time^cr')  =>  time^crr)  =  time^a'r). 
Since  the  definition  of  delay  ensures  that  delayer)  =  0  for  all  j  £  active(r), 
this  implies  timej(ar)  =  timej(a)  for  j  ^  active(r).  □ 

As  a  consequence,  two  finite  execution  traces  leading  to  the  same  config¬ 
uration  have  the  same  set  of  enabled  transitions.  For  a  configuration  7  G  Sc 
one  can  thus  define  enabled ( 7)  =  enabled  (a),  where  a  is  an  arbitrary  ex¬ 
ecution  trace  with  cfg(a)  —  7.  Likewise,  the  successor  configuration  of  7 
by  a  transition  r  G  enabled  (a)  is  defined  as  the  configuration  reached  when 
extending  the  trace  a  by  transition  r:  succT( 7)  =  cfg(ar).  This  is  again 
independent  of  a  and  we  write  7  A  succT( 7). 

We  are  now  ready  to  prove  the  desired  independence  properties  for  tran¬ 
sitions  in  C(A).  In  general,  two  transitions  are  called  independent  if  neither 
disables  the  execution  of  the  other,  and  the  same  state  is  reached  by  executing 
them  in  either  order.  This  notion  is  formalized  as  follows: 

Definition  9  (Independence)  Two  transitions  T\  and  t-2  are  independent  iff 
for  any  finite  execution  trace  a  such  that  T\ ,  t-2  G  enabled  (a )  the  following 
two  conditions  hold: 

Enabledness:  T2  G  enabled(ar\)  A  T\  G  enabled{oT2) 

Commutativity:  fin{aT\Tf)  =  /i’n( crr2'ri)  A  enabled* (crr^)  =  enabled* (a T2T1) 
where  fin(a)  denotes  the  last  state  on  the  trace  0 . 

The  following  theorem  then  holds  (cf.  [BJLW98]): 
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Theorem  1  Two  (action  or  local  delay)  transitions  T\ ,  r2  €  %  that  involve 
disjoint  sets  of  automata  ( active^ )  n  active (r2)  =  0)  are  independent. 

Proof:  If  j  G  active (72),  then  j  £  active{r\ )  and  cfgj (<777 )  =  cfgj(a)  for  all 
j  G  active (72).  Thus,  r 2  G  enabled(a)  =>  t-2  G  enabled  (a  77),  and  symmetri¬ 
cally  for  the  second  conjunct. 

For  commutativity,  since  active(Ti)  D  active(T-2)  =  0,  each  of  the  local 
configurations  is  changed  at  most  once,  either  by  77  or  by  12,  independently 
of  their  ordering.  Therefore,  cfg{ar\T2)  =  cfg{aT2Ti).  In  particular,  this 
means  fin{cTT[V2)  —  fin ( nT2T\ ) .  and  furthermore,  since  the  enabledness  of 
transitions  depends  only  on  the  reached  configuration,  enabled* (ariT-2)  = 
enabled* (cr t-2T\).  □ 

A  finite  trace  a  in  £(A)  is  called  synchronized  if  timei{o)  =  timej(cr) 
for  all  i,j  G  l,n,  i.e.,  if  all  automata  have  executed  for  the  same  amount  of 
time,  denoted  by  time(a).  The  following  theorem  relates  the  reachable  state 
spaces  of  the  standard  and  local  time  models  (cf.  [BJLW98]): 

Theorem  2  Each  state  (s.v)  reachable  in  5(A)  is  also  reachable  in  C{A). 
Moreover,  each  state  reached  by  a  synchronized  trace  07  in  C(A)  is  also  reach¬ 
able  in  5(A). 

Proof:  For  the  first  part,  note  that  any  execution  trace  in  5(A)  yields  an 
execution  trace  in  £(A)  by  replacing  each  global  delay  transition  ^  with  the 
sequence  of  local  delay  transitions  Si  . . .  Sn. 

The  reverse  implication  follows  by  induction  on  the  number  of  action 
transitions  in  at.  For  the  base  case,  if  <77  is  synchronized  and  contains  only 
local  delay  transitions,  they  sum  up  to  the  same  total  delay  d.  Then,  fin(<ri) 
is  reachable  in  5(A)  by  executing  the  global  delay  transition  S. 

For  the  induction  step,  consider  the  action  transition  a  in  07  executed  at 
the  latest  timepoint,  ta  <  t  =  time  (a  1).  Then,  in  every  automaton,  07  ends 
with  local  delay  transitions  totaling  at  least  t  —  ta.  Removing  this  delay  in 
every  automaton  yields  a  synchronized  trace  a[  with  tmie(o[)  =  ta.  In  a[, 
a  is  the  last  transition  in  all  participating  automata.  Its  removal  results  in 
the  synchronized  execution  trace  a"  with  fewer  action  transitions.  By  the 
induction  hypothesis,  the  state  fin(cr'{)  is  reachable  in  5(A),  and  fin(ai)  is 

reachable  from  it  by  executing  A  followed  by  tSa.  □ 
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3.6  The  local-time  zone  automaton 


In  the  global-time  semantics,  sets  of  timed  states  can  be  represented  using 
clock  constraints,  resulting  in  a  quotient  structure  called  the  zone  automaton. 
In  [BJLW98],  this  approach  is  adapted  to  the  local-time  model.  Using  our 
notations,  a  local-time  zone  is  a  convex  set  of  configurations  2  G  Ec  with  the 
same  control  state.  A  transition  is  enabled  in  a  zone  iff  it  is  enabled  in  some 
configuration  belonging  to  the  zone.  We  denote  this  set  by  enabled  (z )  = 
{r  G  %  |  G  z  .  t  G  enabled (7)}.  The  successor  of  a  zone  2  by  a  transition 
t  G  enabled (z)  is  succT(z)  =  {succT( 7)  |  7  G  z  A  r  G  enabled (7)}. 

For  the  standard  zone  automaton,  an  exploration  step  consists  of  an  ac¬ 
tion  transition  followed  by  a  delay  transition  of  arbitrary  amount.  For  the 
local-time  model,  we  combine  an  action  transition  with  subsequent  delay 
transitions  in  all  automata  belonging  to  its  active  set,  and  prove  that  any 
reachable  local-time  state  can  be  generated  in  this  way.  Specifically,  we  show: 


Proposition  2  For  any  finite  execution  trace  a.  there  exists  a  trace  o'  with 
the  same  final  configuration,  which  starts  with  a  local  delay  transition  in 
each  component  automaton,  after  which  every  subsequent  action  transition  is 
followed  by  local  delay  transitions  in  all  participating  automata. 

Proof:  A  delay  transition  -ij  commutes  with  any  other  delay  transition,  and 
with  action  transitions  a  such  that  i  <£  active(a).  Thus,  delay  transitions  can 
be  moved  towards  the  beginning  of  the  execution  trace  a,  while  merging 
consecutive  delay  transitions  in  the  same  automaton,  until  the  preceding 
action  transition  involves  the  same  automaton,  or  until  it  precedes  all  action 
transitions.  □ 

Based  on  this  result,  we  choose  a  zone  successor  operation  that  first  per¬ 
forms  an  action  transition  A,  followed  by  arbitrary  delay  transitions  in  the 
automata  belonging  to  its  active  set: 

succf(z,  a)  =  {7 k  GSc  I  G  z,  3dh ,  •  •  • ,  dik  G  R+  .  7  A  7'  7 k} 

where  active(a )  =  {A,  i2, . . . ,  A}-  The  independence  of  local  delay  transitions 
ensures  the  uniqueness  of  the  above  definition  irrespective  of  the  ordering  of 
indices  in  active  (a).  An  initial  local-time  zone  is  the  set  of  all  configurations 
reachable  from  an  initial  state  by  a  sequence  of  delay  transitions: 

initf(s° )  =  { cfg(a )  |  3dix,  ■  •  •  ,din  G  R+  .  a  =  (s°,  0 c)  -A  •  •  •  ^3  (s0,ura)} 
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If  succf"  (z)  =  {7'  |  37  G  z,  3d  G  R+-7  7'}  is  the  successor  by  an  arbitrary 

local  delay,  then  initf(s°)  =  (succf  o  . .  .0  succf)  (s°  ,0c))  and  succf  (z, a)  = 
(succf  o  . . .  o  succf  o  succa)(z),  where  o  denotes  function  composition.  The 
local-time  zone  automaton  can  now  be  defined  as  follows: 

Definition  10  (Local-time  zone  automaton)  The  local-time  zone  automa¬ 
ton  Zi(A)  for  a  network  of  automata  A  is  a  tuple  (Z[,  Zf .  succf).  where 
Zf  =  {initf(s°)  |  s°  G  S0}  is  the  set  of  initial  local-time  zones,  succf  is 
the  successor  relation  defined  above,  and  Zi  is  the  set  of  all  local-time  zones 
reachable  by  successive  application  of  succf  from  an  initial  zone. 

Together  with  Proposition  2,  this  definition  implies  directly  the  following: 

Theorem  3  A  state  is  reachable  in  the  model  C(A)  iff  it  belongs  to  a  zone 
z  which  is  reachable  in  the  local-time  zone  automaton  ZfA). 

3.6.1  Representation  of  local-time  zones 

In  [BJLW98],  a  representation  of  local-time  zones  as  difference  bound  matri¬ 
ces  [Dil89]  is  given  which  uses  one  additional  variable  per  automaton.  For  a 
class  of  timed  automata,  we  derive  an  improved  representation  which  does 
not  need  additional  space  compared  to  the  standard  zone  automaton. 

In  the  standard  zone  automaton,  zones  are  represented  using  difference 
constraint  on  the  clocks  of  the  automaton.  Atomic  constraints  between  two 
clocks  are  invariant  to  global  delay  transitions.  However,  in  the  local-time 
model,  the  difference  between  two  clocks  in  different  automata  is  affected 
by  a  local  delay  transition  in  either  of  these  automata.  A  transition  ^7 
increments  both  the  clocks  in  Cf  and  the  value  of  timei.  Instead  of  reasoning 
about  the  value  vf  x)  of  a  clock  x  G  C\,  this  suggests  considering  the  value 
timei  —  Vi(x).  Indeed,  this  value  represents  the  timepoint  at  which  clock  x 
was  last  reset,  and  is  consequently  invariant  to  any  delay  transitions. 

Consider  the  new  variables  f  for  i  G  l,n,  and  tx  for  all  clocks  x  G  C. 
Denote  Tj  =  {tx  \  x  G  Ci}  for  i  G  l,n,  Tf  =TjU  {£,},  T  =  {tx  \  x  G  C}  = 
UILi  Tif  and  T+  =  (J"=1  Tf.  Given  a  configuration  ( s,v,time ),  define  the 
valuation  v  :  T+  — >  R+  by  vitf)  =  timer  for  i  E  l,n  (f  is  the  reference  time 
in  automaton  Af)  and  v(t,x)  —  timei  —  v(x)  for  x  G  Ci  (tx  is  the  last  reset 
time  of  x).  Conversely,  v  uniquely  determines  v  and  time,  and  (s,v)  is  an 
alternate  representation  for  a  configuration. 
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Any  atomic  clock  constraint  appearing  in  the  description  of  A  can  be 
rewritten  as  a  difference  constraint  on  two  variables  in  T+.  Indeed,  in  a 
difference  constraint  x  —  y  -<  c,  both  clocks  belong  to  the  same  automaton 
Ah  and  therefore  x-y  =  (tt-tx)-(U-ty)  =  ty-tx.  Likewise,  the  constraints 
x  c  or  c  -<  x  can  be  rewritten  as  U  —  tx  -<  c  or  c  X  U  —  tx,  respectively. 

A  local-time  clock  zone  is  the  set  of  valuations  belonging  to  a  local-time 
zone.  A  zone  is  then  written  as  (. s,ifi )  where  s  is  the  control  state  and  ifi  is 
the  clock  zone.  We  prove: 

Proposition  3  A  local-time  clock  zone  can  be  written  as  a  difference  con¬ 
straint  on  the  variables  in  T+:  ifi  —  / \tu,t,weT+  tu  ~  tu>  Cuwt  with  cuw  E  Z. 

Proof:  In  an  initial  configuration,  tx  =  U  =  t0,  \/x  E  Ci,  i  E  1,  n.  Thus, 

V’i  =  A  tu,tw£T+(tu  =  tw)- 

For  an  action  transition  (s,  v )  A  (s',  v'),  we  have  v'(tu)  =  v(tu)  for  u  R„ 
and  v'{tx)  =  ti  for  x  E  Ra  (where  ix  identifies  the  automaton  Aix  contain¬ 
ing  x).  We  denote  this  by  v'  =  v[tx  tix]xeRa  and  extend  the  notation 
to  clock  zones.  Also,  the  enabling  condition  ifa  holds  for  v  and  the  refer¬ 
ence  times  in  Ta  =  {ti  \  i  E  active  (a)}  have  equal  values.  Thus,  we  have 
SUCCa(lpl)  =  {v'  |  (s,v)  A  (s',fi')}  =  (ifi  A  lfa  A  f\tutj£Ta  ti  =  tj)[tx  1  *  tix]x Gfia, 
or  equivalently  succa(ifi)  =  [3Xa  ■  fi  A  ifa  A  f\tutj&Ta  U  =  tf]  A  f\xeRa  tx  =  tix, 
with  Xa  =  {tx  |  x  E  Ra}  and  3jsf0  denoting  quantification  over  all  variables  in 
Xa.  Difference  constraints  are  closed  under  conjunction  and  quantification, 
therefore  suca(ifi )  is  a  difference  constraint. 

For  a  local  delay  transition  (s,  v)  (s,  v'),  we  have  v'(ti)  =  v(ti )  +  d 
and  v'{tu)  -  v(tu)  for  all  tu  E  T+  \  {U}.  Denote  this  by  v'  =  v+id  and  let 
f|-*=  {v*  |  €  ifi,  3d  E  R+  .  v'  =  v  +i  d]  be  the  zone  obtained  from  ifi 

after  an  arbitrary  delay  "A-;.  If  e[y/x\  denotes  substitution  of  y  for  x  in  e, 
then  we  have  if  iff =  [3d  E  R+  .  ifi][U/ti  +  d]  =  [3 U  E  R+  .  ifi  A  t[  >  tj\[U/t'f\. 
Since  (s,v)  ^  ( s,v' )  iff  v'  =  v  -h  d  and  holds,  we  obtain  that 

succf(ipi)  =  if i  IT  A/j(sj),  which  is  again  a  difference  constraint. 

Combining  action  and  delay  steps,  we  obtain: 
succf(ifh  a)  =  ([3*a  .  ifi  A  if a  A  Atj.qeTa  U  =  ti\  A  A*6Ha  **  =  Ux)  f 1  •  •  •  tk 

A  A ieactive{a)Ii(S'i)-  1=1 

Despite  the  desynchronization  introduced  by  the  local-time  model,  the 
representation  of  a  local-time  clock  zone  is  still  monolithic  and  relates  reset 
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times  of  clocks  to  reference  times  in  all  automata.  We  prove  that  for  a  class 
of  networks  the  following  simpler  representation  holds: 

Proposition  4  If  every  synchronization  transition  in  network  A  resets  at 
least  one  clock  in  each  participating  automaton,  a  local-time  clock  zone  has 
the  form  fg  =  ^a(T)  A  /\"=1  ipfTi,  tf).  where: 

•  =  /\lx^fyQj'tX  _  ty  -<  Cxy .  with  CXy  G  Z 

*  if)  A/^GT,  lx  Cix  A  tx  ti  — n  C-xi)  With  Cix,  Cxi  G  Z 

In  this  case,  we  call  A  a  sync-reset  network  of  automata.  The  special  form 
for  a  clock  constraint  in  this  case  signifies  that  there  is  no  need  to  explicitly 
maintain  constraints  that  relate  the  reset  time  of  a  clock  to  the  local  time 
of  a  different  automaton.  The  constraint  is  composed  of  a  global  constraint 
if  A  (T)  that  relates  pairs  of  any  two  reset  times,  and  of  one  local  constraint 
Va  for  each  process,  comparing  the  reset  times  in  the  automaton  A,  to  its 
local  clock  tj.  A  network  of  automata  A  may  satisfy  this  additional  property 
if  each  synchronization  transition  determines  the  future  timing  behavior  of 
both  automata  involved,  and  it  is  thus  necessary  to  refer  to  its  execution 
time  by  means  of  a  clock  reset  in  both  automata. 

Proof:  The  initial  zone  can  be  written  as:  initf(s° )  =  f\xy€ c{tx  =  ty)  A 
Ail  *(*?)•  In  the  expression  of  succf  from  Proposition  3  the  term  ?/y  A 
V-’o  A  At,  /,erQ  l  i  —  tj  has  the  required  form,  save  for  the  equalities  U  =  tj. 
Quantification  over  Xa  introduces  constraints  between  tx  and  U,  for  tx  G  T 
and  i  G  active  (a).  By  assumption,  for  every  i  G  active(a)  there  exists  a 
clock  x  G  Ra  H  C'i  that  is  reset,  and  the  new  value  of  tx  is  U.  Therefore, 
constraints  on  ti  and  ty  can  be  replaced  with  constraints  between  tx  and 
ty ,  which  are  incorporated  in  V-'a-  Finally,  executing  ft*  for  i  G  active(a) 
removes  the  equalities  =  tj,  and  adds  inequalities  of  the  form  tu  —  tj  = 
(tx  —  tf)  +  (ti  —  tj)  -<ui  cUi  +  0  with  u  f  Cj.  However,  if  y  G  R„  D  Cj,  this 
inequality  can  already  be  obtained  considering  (tu— ty)  +  (ty— tj),  both  terms 
already  present  in  the  desired  form.  □ 

We  give  an  example  to  show  that  the  reduced  representation  is  not  suf¬ 
ficient  in  the  general  case.  Consider  automata  A\  and  A-2,  with  clocks  x 
and  y,  that  synchronize  on  transition  a.  After  executing  the  synchronization 
transition,  the  full  representation  of  the  corresponding  clock  zone  would  be 
—  tx  >  3  A  t2  —  tx  >  3  A  t\  —  ty  >  0  A  t-2  —  ty  >  0.  Then,  transition  b  can  only 
be  executed  if  t-2  —  ty  <  2,  which  given  that  t-2  —  tx  >  3,  implies  tx  —  ty  <  1. 
However,  the  constraints  t-2  —  tx  >  3  and  t\  —  ty  >  0  cannot  be  part  of  the 
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simplified  representation.  If  these  constraints  are  ignored,  the  system  could 
execute  transition  b  regardless  of  the  relation  between  tx  and  ty,  leading  to 
extraneous  behaviors. 


Figure  3.3:  Synchronization  transitions  and  zone  representation 

Clock  difference  constraints  are  generally  represented  as  difference-bound 
matrices  [Dil89],  which  are  indexed  by  clock  variables  whose  elements  are 
bounds ,  i.e.,  pairs  of  the  form  (-<,  c)  corresponding  to  an  atomic  clock  con¬ 
straint.  The  component  of  a  local  time  zone  can  be  represented  as  a 
difference  bound  matrix  with  \C\  rows  and  columns.  Each  constraint  ipl  re¬ 
quires  2*  \Ci\  additional  time  bounds,  for  a  total  of  2*  \C\,  i.e.,  an  additional 
row  and  column.  Thus,  ipi  can  be  represented  by  a  matrix  with  \C\  +  1  rows 
and  columns,  the  same  size  as  the  DBM  used  in  the  standard  algorithm. 

However,  the  computations  performed  on  this  matrix  must  take  into  ac¬ 
count  that  segments  of  the  additional  row  and  column  correspond  to  different 
automata  and  thus  different  reference  times.  The  successor  computation  for 
a  transition  is  performed  first  on  the  submatrix  corresponding  to  the  clocks 
of  the  active  automata  together  with  their  reference  times  (which  have  to  be 
equal  in  this  case).  If  any  constraints  between  clocks  are  strengthened  in  this 
process,  the  \C\  x  \C\  submatrix  corresponding  to  ipA  is  canonicalized.  This 
may  strengthen  constraints  between  clocks  in  an  automaton  Ak  outside  the 
active  set  of  the  transition,  which  may  in  turn  strengthen  constraints  in  ipk. 
between  the  clocks  in  Ak  and  the  reference  time  tk. 

If  some  automata  in  the  network  have  synchronization  transitions  that 
do  not  reset  clocks,  one  solution  is  to  introduce  in  each  of  these  automata 
an  additional  clock  that  is  reset  on  such  synchronization  transitions.  In  this 
way,  the  network  of  automata  is  transformed  into  a  sync-reset  network,  with 
potentially  fewer  than  n  additional  time  variables. 
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Ill  the  general  case,  a  smaller  difference  bound  matrix  can  also  be  obtained 
using  the  clock  activity  reduction  of  [DY96].  In  this  case  the  dimension  of 
the  DBM  changes  dynamically  at  each  state,  by  eliminating  the  clocks  that 
will  be  no  longer  used  before  their  next  reset.  Using  the  same  approach  in 
the  local-time  model,  we  can  also  eliminate  reference  times  in  some  cases.  If 
all  transitions  entering  local  state  s  in  automaton  A reset  clock  x,  then  the 
strongest  constraints  at  s  on  the  reference  time  b  are  W>tx,  together  with 
any  local  invariant  of  s.  Thus,  it  is  possible  to  represent  the  local-time  zone 
at  s  as  a  DBM  without  U,  and  add  the  above-mentioned  constraints  when 
the  next,  local  transition  from  s  is  explored. 

3.7  Preservation  of  LTLa  formulas 

In  the  local-time  model  C(A)  the  executions  of  the  component  automata 
are  decoupled  from  each  other,  except  for  synchronization  transitions.  Con¬ 
sequently,  C(A)  accepts  a  richer  set  of  behaviors  than  S(A).  This  section 
establishes  restrictions  on  the  local-time  model  which  ensure  that  each  of  its 
traces  is  equivalent  with  respect  to  a  given  LTLa  formula  p  to  a  trace  of  the 
standard  model. 

The  semantics  of  LTLA  is  extended  to  the  local  time  model  by  defining 
the  satisfaction  of  an  atomic  time  constraint  in  a  local-time  configuration: 
(s,  v)  |=  x  —  y  -<  c  iff  v(ty)  —  v(tx)  -<  c 

We  have  v(ty )  -  v(tx)  =  ( timej  -  v(y ))  -  (time,  -  v(x)),  assuming  x  e  Q 
and  y  e  Cj.  Thus,  in  a  synchronized  configuration  ( time,  =  timej )  the 
semantics  is  the  same  as  for  the  standard  model. 

Since  next-time  free  LTL  formulas  are  invariant  under  stuttering,  the 
transitions  which  affect  the  truth  of  the  specification  are  identified  as  follows: 

Definition  11  (Visibility)  A  transition  (s,v)  —>  (s'.v1)  is  invisible  with  re¬ 
spect  to  a  specification  p  if  every  atomic  subformula  of  p  has  the  same  truth 
value  in  (s,  v)  and  ( s ',  vr) .  A  transition  which  is  not  invisible  is  called  visible. 

Then,  a  transition  in  C(A)  is  visible  if  it  connects  two  states  which  dif¬ 
fer  by  at  least  one  atomic  proposition  in  the  specification  (visibility  in  the 
control  space)  or  it  resets  at  least  one  clock  in  the  specification,  affecting  the 
truth  value  of  a  difference  constraint  (visibility  in  the  time  domain).  Delay 
transitions  are  invisible,  since  they  do  not  change  the  control  state  and  do 
not  reset  clocks. 
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For  a  network  of  timed  automata  A  and  a  formula  <p  in  LTLa  denote  by 
Fp(A)  the  set  of  those  traces  of  C(A)  which  satisfy  the  following  properties: 

•  Ordering  (O):  Visible  transitions  occur  in  increasing  order  of  their  exe¬ 
cution  times.  That  is,  in  any  trace  a  E  iFv(A),  for  visible  transitions  rk 
and  r/  with  k  <  l,  we  have  time(rk)  <  time(ri )  (where  time(r)  =  Umel 
for  some  i  E  active(r)  is  the  timepoint  at  which  r  is  executed). 

•  Fairness  (F):  Time  progress  is  unbounded  in  all  component  automata. 
That  is,  for  any  trace  a  E  T^{A) ,  automaton  A-t  and  time  M  E  R+, 
there  exists  k  E  N  with  timei(< jk)  >  M. 

Theorem  4  Given  an  LTLa  formula  <p,  for  any  execution  trace  in  the  model 
<5(A)  there  exists  an  execution  trace  in  J-^(A)  which  has  the  same  truth  value 
for  p  and  vice  versa. 

Proof:  The  direct  implication  is  straightforward:  from  a  trace  a  in  S(A) 
construct  a  trace  07  in  G{A)  by  replacing  each  global  delay  transition 

with  the  sequence  of  local  delay  transitions  ^1  . . .  ^n.  The  trace  01  also 
satisfies  O,  since  no  action  transitions  are  reordered,  and  F,  since  the  same 
delay  transitions  are  executed  in  each  automaton.  Since  delay  transitions  are 
invisible,  this  transformation  does  not  change  the  truth  value  of  the  LTLa 
formula  ip,  and  a  f=  <p  iff  07  f=  <p. 

For  the  reverse  implication,  we  construct  a  from  07  by  reordering  all 
transitions  so  they  occur  in  increasing  order  of  their  timepoints.  The  ordering 
condition  O  guarantees  that  no  visible  transitions  are  reordered,  and  the 
truth  value  of  the  formula  is  not  changed.  In  this  transformation,  delay 
transitions  may  be  split  and  reordered  so  every  action  transition  is  preceded 
by  equal  delays  in  all  automata.  The  fairness  condition  F  guarantees  that  for 
all  automata,  local  delay  transitions  totaling  the  needed  amount  exist  in  0;. 
Finally,  all  local  delay  transitions  between  two  consecutive  action  transitions 
are  merged  into  a  global  delay  transition,  resulting  in  a  trace  a  of  5(A).  □ 

Based  on  the  above  theorem,  we  proceed  as  follows:  We  first  define  a 
restricted  local-time  model  C'P(  A)  whose  traces  satisfy  the  ordering  condition 
O.  Next,  we  construct  a  zone  automaton  Zf  (A)  whose  states  are  local-time 
atoms,  i.e.,  sets  of  configurations  with  the  same  truth  value  for  all  atomic 
subformulas  of  p.  We  show  a  correspondence  between  the  traces  of  Cv{. A )  and 
Zf(A),  and  then  impose  a  fairness  condition  corresponding  to  F  to  ensure 
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equivalence  with  the  standard  model.  Finally,  we  apply  a  maximization  of 
the  atoms  in  Zf(A)  to  obtain  an  automaton  A 'if  (A)  which  is  guaranteed  to 
be  finite  and  therefore  amenable  to  model  checking. 

To  preserve  the  ordering  of  visible  transitions,  we  introduce  an  additional 
reference  variable  tv,  which  denotes  the  timepoint  of  the  last  executed  visible 
transition.  The  domain  of  the  valuation  v  is  extended  to  include  tv.  In  the 
initial  configuration,  v{tv)  =  0.  The  model  C9(A)  is  defined  in  the  same  way 
as  C(A ),  but  with  the  additional  restriction  v(tv)  <  time(a)  for  the  execution 
of  a  visible  transition  A,  and  v'(tv)  =  time(a)  in  the  resulting  configuration. 
This  guarantees  that  each  visible  transition  is  executed  at  a  later  timepoint 
than  the  previous  one,  and  thus  ensures  condition  O. 

With  these  additional  constraints,  the  zone  successor  for  a  visible  transi¬ 
tion  becomes:  succ^fy)  =  [3xa3tv  .  ip  A  ipa  A  Af„qera  **  =  A  A  A ueTa  A  ^  *<] 
A  A  uerjv  =  U  A  A.reC,nRa  A  =  A  For  divisible  transitions,  the  successor 
operation  remains  the  same. 

To  perform  model  checking  on  the  local-time  zone  automaton,  one  has  to 
consider  zones  in  which  all  configurations  satisfy  the  same  atomic  subformulas 
of  the  specification  p  (cf.  [YS97] ) : 

Definition  12  (Atom)  Given  a  timed  automaton  A  and  an  LTL/\  formula 
ip.  an  atom  is  a  zone  (s,tfi)  such  that  Vvi,v-2  E  ipi  .  v\{ty)  —  V\ (tx)  -<  c  <^> 
v-2(ty)  ~  V2 (tx)  -<  c  for  any  constraint  x  —  y  -<  c  in  ip. 

Consequently,  two  configurations  (s,  Ui)  and  ( s ,  v-f)  in  an  atom  (s,  ipi)  have 
the  same  truth  value  for  all  atomic  constraints  in  formula  <p.  We  introduce  the 
additional  atomic  propositions  qi-  E  Q.  c//,  =  tVk  —  tXk  -</,■  c>  for  each  atomic 
clock  constraint  in  <p  and  thus  reduce  <p  to  a  next-time  free  LTL  formula 
<pq.  The  atoms  comprising  (s,ipi)  are  given  by  the  nonempty  intersections 
between  ijy  and  all  constraints  tVk  —  tXk  -</-  Ck,  either  in  positive  or  negated 
form: 

atP({s,  if>i))  =  {(s,4>)  \(f)  =  ifiA  AA=i  0  A  0,  wdh  q'k  =  qk  or  q'k  =  qk }. 

Define  transitions  between  atoms  as  follows:  z  A  z'  if  a  E  enabled  (z) 
and  z'  E  atA (succf  (z ,  a)),  and  z  =s>  z  if  all  local  states  s,  of  z  have  a  trivial 
invariant  Ifsi)  =  true,  for  1  <  i  <  n.  Only  in  this  case,  the  automaton 
can  remain  at  that  state  forever.  If  at  least  one  local  control  state  has  an 
invariant  with  an  upper  bound,  the  system  will  be  forced  to  a  different  global 
state  as  the  local  state  in  that  automaton  changes.  Then,  the  atom  graph 
corresponding  to  A  and  formula  <p  is  defined  as  follows: 
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Definition  13  (Atom  graph)  The  atom  graph  Av  (A)  of  a  timed  automaton 
A  with  respect  to  formula  p  is  a  state-transition  graph  (Zf,  Zf,  =$■),  with  Zf 
the  set  of  initial  local-time  zones.  =>■  the  atom  transition  relation  and  Zf  the 
set  of  atoms  reachable  from  Zf  by  repeated  application  of  =>. 

Then,  our  problem  reduces  to  LTL  model  checking: 

Proposition  5  For  each  execution  trace  oi  of  (y(A),  there  is  an  atom  se¬ 
quence  in  Alp(A)  that  has  the  same  truth  value  for  pq  as  a 7  has  for  ip  and 
vice  versa. 

Proof:  The  proof  is  based  on  reordering  the  delay  transitions  in  trace  07 

as  done  in  the  proof  of  Proposition  2.  Any  delay  transition  '^7  for  which 
at  contains  a  subsequent  action  transition  in  the  same  automaton  At  can 
be  moved  towards  the  beginning  of  07  (possibly  merging  consecutive  delay 
transitions  in  the  same  automaton),  until  either  the  preceding  action  tran¬ 
sition  involves  Ai,  or  there  is  no  preceding  action  transition.  Let  o(  be  the 
execution  trace  obtained  by  this  transformation.  We  have  07'  |=  iff  07  |=  p, 
since  delay  transitions  are  invisible  and  their  permutation  does  not  change 
the  truth  value  of  the  formula. 

We  now  establish  by  induction  a  correspondence  between  the  execution 
trace  o\  and  an  atom  sequence  p  =  a0  =7  an  =>  a-> . . ..  If  s°  is  the  initial 
control  state  in  of  then  cvo  =  initf(s° )  is  the  first  atom  of  p.  Indeed,  if 
70  is  the  configuration  reached  in  o(  from  (s°,  0c>)  by  executing  any  delay 
transitions  before  the  first  action  transition,  then  70  €  a0. 

For  the  induction  step,  consider  the  subsequence  of  o[  starting  at  config¬ 
uration  7^  <E  cxi,  with  k  >  0,  ending  at  a  configuration  7^+1 ,  and  consisting  of 
an  action  transition  ^  followed  by  any  delay  transitions  up  to  the  next  action 
transition  in  of  These  delay  transitions  must  occur  either  in  automata  from 
the  active  set  of  °A,  or  in  automata  which  have  no  subsequent  action  transi¬ 
tion  in  07.  For  the  latter  transitions,  the  invariant  at  the  local  state  must  be 
trivially  true,  since  time  advances  to  infinity  in  of  Thus,  taking  these  tran¬ 
sitions  leads  to  configurations  in  the  same  atom.  The  delay  transitions  in 
automata  from  the  active  set  of  -A  are  included  in  the  definition  of  the  zone 
successor  for  ak,  and  consequently,  we  have  we  have  7^+1  €  succf(ak,ak). 
Thus,  we  can  define  ak+\  as  the  atom  from  atlp(succf(ak,ak ))  to  which  con¬ 
figuration  7fe+i  belongs,  preserving  the  induction  invariant. 

Finally,  if  o[  contains  only  a  finite  number  of  action  transitions,  it  means 
that  the  resulting  state  has  trivial  invariants  at  each  local  state.  Then  we  can 
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extend  the  atom  sequence  (a*.)  with  an  transition  for  each  delay  transition 
in  a'i  following  the  last  action  transition.  Since  by  construction  7*:  £  a*,  it 
follows  that.  <j[  and  p  have  pointwise  the  same  truth  values  for  all  atomic 
propositions  in  PU  Q  (the  delay  transitions  in  o\  and  the  4>  transitions  in  p 
are  stuttering  steps). 

For  the  reverse  step,  since  a  4>  a'  iff  every  configuration  in  o'  is  reachable 
from  some  configuration  in  a  by  executing  A  followed  by  delay  transitions, 
it  follows  by  induction  that  any  atom  sequence  p  has  a  witness  trace  of 
configurations.  Since  the  constructed  configurations  belong  pairwise  to  atoms 
in  p,  the  two  sequences  must  have  the  same  truth  value  for  the  formula  <p.  □ 

It  remains  to  restrict  the  zone  execution  sequences  such  that  the  included 
execution  traces  satisfy  the  fairness  condition  F.  Otherwise,  the  local- time 
model  may  contain  traces  that  do  not  require  all  automata  to  execute,  and 
do  not  correspond  to  any  trace  in  the  standard  model.  The  fairness  condition 
F  is  violated  if  in  one  of  the  component  automata  the  execution  trace  cannot 
make  indefinite  time  progress.  This  is  the  case  if,  starting  from  some  point  in 
the  zone  sequence,  there  exists  a  clock  on  which  each  zone  imposes  an  upper 
bound  due  to  its  invariant.  The  negation  of  this  condition  means  that  any 
clock  which  is  infinitely  often  limited  by  an  invariant  has  to  be  reset  infinitely 
often,  allowing  time  to  diverge.  Consequently,  the  fairness  constraint  can  be 
written  as  a  temporal  logic  formula  in  terms  of  the  underlying  state-transition 
structure  of  the  automaton,  f\xeC  GFx. bounded  =>  GF x. reset.  The  model 
checking  problem  on  the  initial  network  of  automata  is  thus  reduced  to  LTL 
model  checking  of  a  finite  Kripke  structure  with  a  set  of  fairness  constraints. 

The  fairness  constraint  can  also  be  enforced  by  a  more  restrictive  def¬ 
inition  of  allowable  successor  transitions,  while  also  providing  a  guarantee 
that  the  local-time  atom  graph  will  not  contain  more  zones  than  the  one 
constructed  for  a  global-time  model.  Note  that  allowing  each  automaton  to 
execute  decoupled,  in  its  own  local  time  scale  can  lead  to  some  automata 
overtaking  the  others  and  some  lagging  behind  in  time.  In  particular,  this 
may  lead  to  the  exploration  of  control  states  that  do  not  appear  in  the  original 
model,  because  the  local  reference  times  do  not  coincide.  This  does  not  affect 
the  correctness  of  our  result,  since  we  have  restricted  visible  transitions  to 
their  initial  ordering.  However,  it  may  cause  the  local-time  model  (to  which 
partial  order  reduction  will  be  applied)  to  contain  more  enabled  transitions 
at  each  state  (since  they  do  not  have  to  be  executed  in  time  order),  and  thus 
more  control  states. 
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A  local-time  zone  ( s ,  ipi)  is  called  synchronizable  if  it  contains  at  least 
one  synchronized  configuration,  with  v(U)  —  v(tj)  for  all  i.j  6  1  ,n.  In  other 
words,  {s, ipi)  is  synchronizable  iff  ipi  A  /\i^jU  =  tj  is  satisfiable.  A  transi¬ 
tion  is  firable  in  zone  (s.ipi)  if  it  is  enabled  in  (s,  ipi)  and  succf((s,  ipi),  a)  is 
synchronizable.  If  the  atom  graph  is  generated  using  only  firable  transitions, 
this  ensures  that  a  transition  can  be  taken  in  the  atom  graph  iff  it  can  be 
taken  in  the  original  zone  automaton.  Clearly,  this  also  ensures  the  fairness 
conditions,  since  the  time  progress  of  at  least  one  automaton  (due  to  the  non- 
Zeno  assumption)  together  with  synchronization  implies  the  time  progress  of 
all  components  towards  infinity.  In  terms  of  efficiency,  this  approach  trades  a 
potentially  smaller  size  of  the  model  before  reduction  against  a  more  complex 
test  for  firability  of  a  transition. 


3.8  Building  a  finite  model 

In  general,  the  local-time  zone  automaton  can  be  infinite,  since  the  difference 
bounds  on  clocks  can  become  arbitrarily  large.  The  original  formulation  of 
the  local-time  model  [BJLW98]  gives  a.  proof  that  the  infinite  number  of 
local-time  zones  can  be  divided  into  a  finite  number  of  equivalence  classes, 
based  on  the  standard  region-graph  equivalence.  However,  this  proof  is  non¬ 
constructive.  In  particular,  it  gives  no  concrete  means  of  determining  the 
equivalence  of  two  unsynchronized  local-time  zones,  which  is  needed  to  ensure 
termination  of  the  state  space  search. 

In  this  section,  we  show  that,  just  as  in  the  case  of  the  standard  zone 
automaton,  the  actual  value  of  the  bounds  on  clock  differences  does  not 
affect  the  enabledness  of  transitions,  once  a  certain  value  is  exceeded.  Each 
local-time  zone  can  therefore  be  normalized  in  order  to  obtain  a  finite  model. 

We  adapt  the  maximization  operation  used,  e.g.,  in  [Won94]  to  the  local¬ 
time  model.  Let  cmin  and  cmax  be  the  minimum  and  maximum  constants  in 
the  description  of  the  automaton  A  and  the  formula  (assuming  all  con¬ 
straints  are  given  in  canonical  form,  tu  —  tv  -<  d ).  We  adapt  the  region  graph 
construction  of  [ACD90]  to  the  local-time  model  as  follows: 


Definition  14  Two  valuations  v  and  v'  are  called  region-equivalent  ( denoted 
by  v  —reg  v')  if  for  any  time  variables  tu,  tv  €  T+,  one  of  the  following 
conditions  holds: 
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(a)  cmin  <  |y;(^«)  —  V(tv) J  —  W(tv)  —  ?/(£„)J  <  cmax.  and 
v(tu )  -  v(tv)  ez»  fi'(4)  -  v'(tv)  £  Z 

(b)  \_v(tu )  v(tv) J  <  cmin  and  \y  (tv)  v  <  Cmin 

(c)  |_v(tt»)  v(t.v) J  >  cmax  and  |_u  (i«)  v  ( ^ u ) J  ^  cmax 

Region  equivalence  can  be  extended  naturally  to  configurations  by  defin- 
ing  (s,v)  ~reg  (s',  v')  iff  s  =  s'  and  v  ~reg  v' .  Regions  are  the  equivalence 
classes  induced  by  ~reg  on  the  set  of  configurations  Zc.  The  following  lemma 
holds: 

Lemma  6  Let  v  ~reg  v' .  Then: 

1.  For  any  constraint  ip  in  A  or  in  the  specification  p.  v  £  ip  iff  v'  £  ip. 

2.  For  any  clock  set  R.  v[R  0]  ~reg  v'[R  i-»  0]. 

3.  For  i  £  1,  n  and  d>  0  there  exists  d!  >  0  such  that  v  +*  d  ~reg  v'  -f  ,t  d' . 

The  proof  reduces  to  the  known  result  for  the  (global)  region  graph  con¬ 
struction,  with  the  following  two  observations.  First,  the  local-time  model 
adds  the  implicit  constraints  tt  =  t3  for  synchronization  transitions,  but  the 
constants  in  this  constraints  are  0,  and  do  not  influence  cmin  and  cmax.  Sec¬ 
ond,  when  performing  a  local-time  delay  in  automaton  Ai}  the  only  variable 
that  changes  its  valuation  is  t-t.  Therefore,  the  other  reference  times  tj,  with 
j  i=-  i  are  indistinguishable  from  ordinary  reset  times  tx,  with  x  £  C,  and 
the  situation  is  identical  to  the  global  time  model,  for  which  the  property  is 
known  to  hold. 

Since  the  execution  of  any  transition  is  expressed  in  terms  of  conjuncting 
with  the  constraints  of  A.  resetting  clocks  and  advancing  local  time,  Lemma  6 
implies  the  following  property  (cf.  [ACD90]): 

Proposition  7  Let  7  — reg  be  two  region- equivalent  configurations  in  E c- 

1.  If  7  A  7j,  there  exists  7J  ~reg  71  such  that  7'  A  7'. 

2.  If  7  Si  71  with  d  £  E+,  i  £  l~n,  there  exists  d!  £  R+  and  ~reg  72 

df 

such,  that  7'  --7  7( . 
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We  define  the  maximization  max(z)  of  a  zone  z  as  the  set  of  configurations 
which  are  equivalent  to  some  region-equivalent,  configuration  in  z.  max(z) 
{y  <=  Ec  |  37  62.7  -veg  l'}-  A  maximized  zone  is  therefore  a  convex 
union  of  regions,  since  by  including  one  configuration  of  a  region  it  has  to 
include  all  others.  It  is  easily  seen  that  a  maximized  zone  is  obtained  from 
the  canonical  representation  of  a  zone  by  modifying  all  constraints  outside 
the  range  [cmj„,  cmax]:  tu  —  tv  -<  c  with  c  <  cmin  becomes  tu  —  tv  <  cmin  and 
tv-tv  -<c  with  c  >  Cmax  becomes  tu-tv  <  00  (trivially  true).  Furthermore, 
by  point  (1)  of  Lemma  6,  a  maximized  atom  is  in  turn  an  atom.  Define 
succfl(z,  a)  =  rna x(succf(z,  a))  and  let  A4f  (  A)  be  the  atom  graph  induced  by 
succfi  through  repeated  application  from  an  initial  zone.  Since  the  constants 
in  a  maximized  zone  are  bounded,  it  follows  that  AAf(A)  is  finite. 

By  Proposition  7,  the  same  transitions  are  enabled  in  every  point  of  a 
region.  Since  a  maximized  atom  is  the  closure  of  an  atom  with  respect  to 
region  equivalence,  this  implies  that  the  atom  graph  A.'*1  (A)  and  the  maxi¬ 
mized  atom  graph  graph  M^iA)  are  bisimilar.  Putting  the  previous  results 
together,  we  obtain  the  following  theorem,  which  reduces  our  initial  problem 
to  LTL  model  checking  with  fairness  constraints  on  a  finite  model: 

Theorem  5  The  model  Mf(A)  with  the  fairness  constraint  F  is  equivalent 
to  the  standard  model  S(A)  with  respect  to  the  formula  <p. 


3.9  Partial  order  reduction 

Having  established  the  visible  transitions  in  the  model  Mf(A),  one  needs 
to  determine  the  transition  dependence  relation  in  order  to  apply  partial 
order  reduction.  Bengtsson  et  al.  [BJLW98]  give  a  purely  structural  de¬ 
pendence  relation,  identical  to  that  for  untimed  parallel  composition:  two 
transitions  are  independent  if  the  two  sets  of  automata  involved  in  each 
of  them  are  disjoint.  Indeed,  Theorem  1  shows  that  this  condition  is  suf¬ 
ficient  for  the  local-time  model  C(A).  Since  transitions  in  the  zone  au¬ 
tomaton  are  composed  of  action  and  local  delay  transitions  in  the  local¬ 
time  model,  the  independence  condition  also  follows  for  the  zone  automaton. 
a  and  b  are  independent  if  active(a)  fl  activefb )  —  0,  and  then  we  have 
succf(succf(z,a),b )  =  succf(succf(z,b),a)- 

However,  in  the  local-time  zone  automaton,  just  like  in  the  standard 
zone  automaton,  one  needs  to  take  into  account  the  fact  that  transitions 
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which  are  both  enabled  in  a  zone  may  actually  be  enabled  in  different  sets 
of  configurations  belonging  to  that  zone. 

To  see  this,  consider  automata  A\  and  A-j  with  clock  sets  {x, u}  and 
{y,v}  respectively  and  assume  that  the  current  zone  has  been  reached  after 
executing  two  synchronization  transitions,  one  resetting  x  and  y,  and  the 
second  resetting  u  and  v.  Thus,  we  have  tx  =  ty  and  tu  =  tv.  Assume  now 
that  transition  a  in  Ai  has  enabling  condition  x  —  u  =  tu  —  tx  <  2  and 
transition  b  in  A-j  requires  y  —  v  —  tv  —  ty  >  3.  Since  tv  —  tx  =  tv  —  ty 
due  to  the  previous  synchronizations,  the  two  conditions  cannot  be  satisfied 
simultaneously.  Exploring  either  of  and  4>  restricts  the  current  local-time 
zone  to  a  fragment  where  the  other  transition  is  no  longer  enabled.  Thus, 
even  though  =>  and  =4  are  independent,  selecting  only  one  of  them  as  an 
ample  set  would  violate  condition  CO. 

Consequently,  when  selecting  a  set  of  ample  transitions,  one  needs  to 
make  sure  that  condition  CO  is  observed  and  at  least  one  ample  transition  is 
enabled  in  every  configuration  that  has  a  transition  enabled  in  the  unreduced 
model.  Let  gua,rd(a )  be  the  enabling  condition  of  —>  in  the  local-time  model, 
i.e.,  ip  a  A  f\l  jeactive((l)  U  =  tj.  If  ipi  is  the  current  local-time  zone  at  state  s, 
we  require  py  A  \J aeenablc,A(s)  guard(a)  =  py  A  \J  a&ample(s)  guard{a). 

A  simpler,  sufficient  condition  can  be  given  as  follows.  Let  Tampie  be 
the  set  of  all  time  variables  (clock  reset  times  and  reference  times)  in  the 
automata  that  contain  transitions  from  the  current  ample  set.  The  remaining 
enabled  transitions  do  not  involve  any  of  these  automata  and  thus  depend 
only  on  variables  in  T+  \  Tampie .  If  the  set  of  configurations  from  which  an 
ample  transition  is  enabled,  py  A  \faeampie(s )  guard(a),  contains  any  possible 
combination  of  variables  in  T+  \  Tampie  allowed  by  py,  then  there  are  no 
configurations  in  p>i  for  which  transitions  outside  the  ample  set  are  enabled, 
while  transitions  in  the  ample  set  are  not.  Thus,  condition  CO  is  preserved. 
The  corresponding  relation  is:  3 T<,,„vl,Pn  A  \/aeampie{s)  guard{a )  =  3 TamrJ>i-  In 
particular,  this  relation  is  easy  to  check  if  the  ample  set  contains  a  simple 
transition:  it  means  that  after  conjuncting  with  its  guard,  the  projection  of 
the  local-time  zone  onto  the  remaining  automata  is  unmodified. 

The  ample  set  reduction  is  done  according  to  the  criteria  outlined  in  Sec¬ 
tion  2.6:  a  set  of  automata  (ideally,  a  single  one)  with  no  locally  enabled 
communication  to  automata  outside  the  set  is  found.  The  cycle  closing  con¬ 
dition  can  be  ensured  both  using  the  traditional  depth-first  search  or  using 
static  partial  order  reduction,  based  on  analyzing  the  cycle  structure  of  the 
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individual  automata.  Finally,  if  at  the  current  point  all  local  control  states 
have  trivial  invariants,  one  takes  into  account  that  an  infinite  sequence  of 
self-loop  transitions  =>  is  possible  from  this  state. 

If  a  local  state  with  a  nontrivial  invariant  is  explored,  one  must  make  sure 
that  when  the  upper  bound  of  the  invariant  is  reached,  at  least  one  of  the 
transitions  is  enabled,  otherwise,  deadlock  occurs  since  time  cannot  progress. 
If  this  invariant  is  of  the  form  (x^  <  d^)  A  ...  A  (xlk  <  dik),  the  outgoing 
transitions  are  and  the  current  clock  zone  is  'ipi,  it  has  to  be  true 

that  A  ( (xh  =  dh )  V . . .  V  (xik  =  dik ))  =>  (ipai  V . . .  V  ipa, ) .  A  similar  test  can 
be  made  in  the  limit  if  the  invariant  inequalities  are  strict.  This  is  generally 
considered  a  correct  design  issue  and  is  checked  statically,  with  ipi  =  true, 
however,  this  requirement  may  be  relaxed  in  favor  of  dynamic  checking. 

Since  by  introducing  the  auxiliary  atomic  propositions  qt,  the  LTLa  for¬ 
mula  has  been  reduced  to  LTL,  the  ample  set  method  can  be  used  to  construct 
a  reduced  model  for  the  automaton  Mf(A),  and  perform  model  checking  by 
composing  it  with  the  tableau  for  the  LTL  formula  either  using  a  complete 
construction  [VW86]  or  on  the  fly  [GPVW95]. 

Although  our  discussion  has  been  limited  to  LTLa,  a  similar  approach 
can  be  taken  for  a  branching  time  logic,  such  as  CTL  without  the  nexttime 
operator.  In  this  case,  one  can  use  the  result  of  [GKPP99],  which  gives  an 
additional  condition  for  partial  order  reduction:  each  state  which  is  not  fully 
expanded  must  have  an  ample  set  with  a  single  transition. 

3.10  Summary 

We  have  presented  a  method  that  allows  the  application  of  partial  order 
reduction  to  systems  modeled  as  a  composition  of  timed  automata.  The 
method  results  in  reduction  in  the  state  space,  as  well  as  in  the  number  of 
clock  zones  that  are  generated  for  each  control  state.  Compared  to  previous 
related  work,  we  have  shown  that  partial  order  reduction  can  be  used  for 
model  checking  of  properties  described  in  a  timed  extension  of  linear  temporal 
logic,  rather  than  just  for  local  reachability  analysis.  We  have  also  proved 
that  the  state  space  of  the  local-time  zone  automaton  admits  a  finite  quotient 
by  identifying  when  two  zones  are  equivalent,  and  thus  made  a  state  space 
search  algorithm  possible.  For  a  certain  class  of  automata,  we  show  that  the 
local  time  zones  can  be  represented  as  efficiently  as  standard  clock  zones. 
Finally,  we  give  practical  conditions  for  selecting  ample  sets. 
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Chapter  4 

Reduction  for  Other  Timed 
Models 

4.1  Partial  Order  Reduction  for  the  Region 
Graph  Automaton 

We  have  so  far  investigated  partial  order  reduction  for  timed  automata  by 
using  the  zone  automaton  construction.  There  are  other  ways  in  which  a 
finite  quotient  for  the  timed  state  space  of  a  timed  automaton  can  be  built. 
The  first  such  construction  described  in  the  literature  is  the  region  graph 
automaton  [AD90,  ACD90].  Although  the  region  graph  is  in  general  more 
finely-grained  than  the  zone  automaton,  it  abstracts  away  from  the  passage 
of  time  and  can  be  encoded  as  a  simple  finite-state  machine. 

Recall  that  a  timed  automaton  is  a  tuple  A  =  ( S ,  S°,  C,  E,  /,  //,),  where  S 
is  the  set  of  states,  5°  the  set  of  initial  states,  C  the  set  of  clocks,  E  the  set  of 
edges,  I  the  invariant  function  for  each  node  and  //.  a  function  labeling  states 
with  atomic  propositions.  The  standard  model  of  a  timed  automaton  has 
timed  states  of  the  form  (s,u),  where  s  G  S'  is  a  control  state  and  v  :  C  — ►  R 
is  a  clock  valuation. 

The  region  graph  is  the  quotient  structure  induced  by  an  equivalence 
relation  on  the  timed  states  of  a  timed  automaton:  two  states  with  the  same 
control  location  are  equivalent  if  all  clock  values  agree  on  their  integral  parts 
and  have  the  same  ordering  of  their  fractional  parts.  Clocks  that  exceed 
a  certain  value  (which  can  be  taken  as  the  maximal  constant  cmax  in  the 
description  of  the  automaton)  are  considered  equivalent.  Formally,  we  have: 
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Definition  15  Two  dock  valuations  v  and  v'  are  equivalent  (v  ~reg  v')  iff 
they  satisfy  the  following  three  conditions: 

1.  For  all  x  G  C ,  (u(:r)J  “  [_u  (^)J  hoth  v[x )  Cmax  and  v  ( x )  cm(u;. 

2.  For  all  x,y  G  C  with  v(x)  <  cmax  and  v(y)  <  cmax,  {v(^)}  <  {^(z/)}  iff 
K(z)}  <  {v'(y)}. 

3.  For  all  x  G  C  with  v(x)  <  cmax,  {'u(.r)}  =  0  iff  {u'(:r)}  =  0. 

It  is  easily  shown  that  the  above  conditions  define  an  equivalence  relation. 
A  clock  region  is  an  equivalence  class  of  clock  valuations  with  respect  to  — reg- 
We  denote  by  [?;]  the  clock  region  to  which  valuation  v  belongs.  A  region  is 
then  a  pair  ( s ,  [u])  of  a  control  state  s  and  a  clock  region  [u]. 

It  can  be  shown  that  the  region  equivalence  relation  is  stable,  that  is,  two 
timed  states  that  belong  to  the  same  regions  have  the  same  set  of  enabled 
transitions.  Consequently,  one  can  then  define  a  transition  relation  between 
two  regions  as  follows: 

•  (s-  M)  (s'>  M)  iff  (aw)  (s'w') 

•  (s,  M)  4  (s,  [u'])  iff  3 1  G  R+  such  that  (s,  v)  ^  (s,  v'), 

and  the  interval  [0,  t]  can  be  partitioned  into  two  intervals  A  and  A, 
such  that  [v  +  A]  =  [u]  for  t'  G  I\  and  [v  +  t'}  =  [v'}  for  t'  G  A- 

In  the  first  case,  two  regions  are  connected  by  an  action  transition  if  there 
exists  such  a  transition  between  two  representative  timed  states,  one  from 
each  region.  For  the  second  case,  recall  that  a  timed  automaton  allows  tran¬ 
sitions  of  arbitrary  amount,  as  long  as  the  state  invariant  is  satisfied.  In  the 

s 

second  case,  a  transition  — *•  exists  between  two  regions  if  there  exists  a  de¬ 
lay  transition  between  two  representative  timed  states  that  does  not  traverse 
other  regions.  (In  an  alternate  definition  for  the  region  graph  automaton,  a 
transition  between  regions  corresponds  to  the  combination  of  an  action  and 
delay  transition  in  the  underlying  timed  automaton). 

The  fine  granularity  of  the  regions  leads  to  state  space  explosion  in  the 
region  graph  automaton,  compared  to  the  zone  automaton  which  is  more 
coarse-grained  and  generally  smaller.  Consider,  for  instance,  a  clock  valua¬ 
tion  v  such  that  {u(xi)}  <  {v(x2)}  <  ...  <  {v(xn)},  and  the  clock  valuation 
v  +  l  obtained  from  v  after  passage  of  one  time  unit.  The  intermediate  clock 
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valuations  on  this  delay  transition  belong  to  2\C\  different  regions,  as  each 
of  the  fractional  parts  of  xn,  •  •  • ,  x-2,  £1  becomes  successively  zero,  and  then 
nonzero  but  smallest  in  sequence. 

This  is  a  significant  increase  in  the  number  of  transitions.  In  the  zone 
automaton,  an  action  transition  is  followed  by  an  arbitrary  amount  of  time. 
However,  in  the  region  graph,  a  number  of  delta  transitions  can  be  executed 
successively,  each  advancing  to  a  new  region,  until  eventually  an  action  tran¬ 
sition  is  taken.  The  exploration  of  some  interleavings  between  action  transi¬ 
tions  and  those  that  correspond  to  passage  of  time  can  be  avoided  by  using 
partial  order  reduction. 

Consider  an  action  transition  A  that  does  not  reset  any  clocks.  We  first 
examine  in  detail  the  circumstances  under  which  transitions  A  and  — >  can 
disable  one  another: 

Proposition  8  The  enabling  of  action  and  delay  transitions  in  successor 
regions  is  related  as  follows: 

•  A  can  disable  A  in  ( s ,  [?;])  iff  one  of  the  following  holds: 

-  the  successor  state  s1  with  respect  to  a  has  an  invariant  of  the  form 
x  <  c.  and  v(x)  =  c. 

-  the  successor  state  s'  with  respect  to  a  has  an  invariant  of  the 
form  x  <  c,  [AAJ  =  c  —  1.  {?;(?/)}  >  0  for  all  y  G  C  and 
MA}  >  (u(y)}  for  all  y  eC. 

•  A  can  disable  A  iff  one  of  the  following  holds: 

— ^  has  a  constraint  of  the  form  x  <  c.  and  v(x)  =  c. 

-  A  has  a  constraint  of  the  form  x  <  c,  [u(a:)J  —  c  —  1,  {t>  (?/)}>  0 
for  all  y  G  C  and  {u(x)}  >  {v(y)}  for  all  y  £  C. 

Proof:  Since  A  does  not  reset  any  clocks,  the  clock  valuations  in  s  and  s' 
after  executing  a  are  the  same.  We  examine  first  the  cases  where  A  disables 
— This  means  that  passage  of  time,  which  is  allowed  in  control  state  s,  is 
no  longer  allowed  in  state  s'.  This  occurs  when  the  advance  of  some  clock  x 
is  limited  by  an  invariant  of  the  form  x  -<  c  in  state  s',  and  when  advancing 
time  to  the  next  region  by  means  of  transition  A  would  result  in  a  region 
that  no  longer  satisfies  this  invariant.  If  the  constraint  in  the  invariant  is 
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nonstrict,  x  <  c,  [v]  has  to  be  a  boundary  region  with  v(x)  =  c,  otherwise 
an  incremental  advance  of  time  to  the  next  region  will  still  satisfy  v'(x)  <  c. 
If  the  constraint  in  the  invariant  is  strict,  x  <  c,  the  invariant  will  no  longer 
be  satisfied  if  the  successor  region  is  the  boundary  region  with  v'(x)  =  c. 
This  happens  when  [u(x)J  =  c-  1,  and  {u(x)}  is  the  next  fractional  part  to 
wrap  around  to  zero,  i.e.,  {n(x)}  >  {v(y)}  for  all  y  6  C.  In  addition,  the 
current  region  must  not  itself  be  a  boundary  region  with  some  {v(y)}  >  0. 
Otherwise,  the  next  region  is  obtained  by  an  infinitesimal  advance  of  time, 
which  increases  {v(y)}  from  0  to  positive  while  maintaining  v(x)  <  c. 

For  the  case  when  A  disables  A,  the  given  conditions  are  analogous, 
with  the  enabling  condition  of  the  transition  replacing  the  invariant  of  the 
destination  state.  The  argument  is  completely  similar.  □ 

Proposition  9  If  A  and  A  are  two  transitions  enabled  in  region  r,  none 
of  them  disables  the  other,  and  A  does  not  reset  any  clocks,  then  A  and  — »• 
are  independent  in  region  { s ,  [u]). 

Proof:  The  proof  follows  from  the  fact  that  for  any  t  eR+,  the  transitions 
A  and  A  commute  in  (s,  v)  if  neither  disables  the  other  and  A  does  not 
reset  any  clocks.  This  is  obvious,  since  — >  only  changes  the  control  location 
and  A  only  changes  the  clock  valuation.  □ 

Based  on  this  dependence  relation,  partial  order  reduction  can  be  used 
in  the  construction  of  a  smaller  region  graph  for  a  given  timed  automaton. 
Ordinarily,  even  at  a  state  where  only  a  single  transition  is  enabled,  the  region 
graph  construction  would  have  to  consider  either  executing  the  transition  or 
advancing  time  to  the  next  region.  For  transitions  that  do  not  reset  clocks, 
this  method  allows  the  exploration  of  only  one  possibility,  except  for  the 
case  when  the  execution  of  the  transition  is  forced  at  the  end  of  its  enabling 
interval.  (The  other  case,  where  a  time  invariant  is  strengthened  in  the 
successor  state  rarely  appears  in  practice). 

As  opposed  to  the  local  time  model,  this  method  does  not  make  use  of 
the  structuring  of  a  system  into  components,  and  can  be  used  on  a  single 
timed  automaton.  Furthermore,  the  region  graph,  being  time-abstract  can 
be  represented  symbolically  using  binary  decision  diagrams  (BDDs).  Thus, 
if  a  static  technique  is  used  for  partial  order  reduction,  this  method  can 
potentially  combine  partial  order  reduction  and  symbolic  model  checking. 
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4.2  Partial  Order  Reduction 

for  Timed  Event/Level  Structures 

A  model  of  timed  systems  which  is  well  suited  for  describing  hardware  cir¬ 
cuits,  in  particular  asynchronous  ones,  is  provided  by  the  so-called  timed 
event /level  (TEL)  structures.  This  model  can  express  both  event  causality, 
as  well  as  dependence  on  signal  levels.  Early  work  by  Rokicki  and  My¬ 
ers  [RM94]  gave  an  algorithm  that  reduced  the  number  of  geometrical  tim¬ 
ing  regions  generated  during  state  space  search.  This  approach  was  later 
extended  by  Belluomini  and  Myers  [BM98]  using  so-called  partially  ordered 
sets  of  events  (POSETs).  We  show  how  to  apply  partial  order  reduction  to 
this  model  and  obtain  additional  savings  in  the  generated  control  state  space. 

4.2.1  Timed  Event /Level  Structures 

We  start  with  a  presentation  of  timed  event/level  structures  and  the  POSET 
algorithm,  following  the  account  given  in  [BM98].  A  timed  event/level  (TEL) 
structure  is  a  tuple  T  =  (N,  So ,  A,  E ,  R.  #),  where: 

•  N  is  the  set  of  (boolean)  signals, 

•  So  C  {0, 1}A'  is  a  set  of  initial  states,  specified  by  a  boolean  value  for 
each  signal, 

•  A  C  N  x  {+,  — }  U  $  is  the  set  of  actions, 

•  E  C  A  x  N  is  the  set  of  events,  where  N  is  the  set  of  natural  numbers, 

•  R  C  E  x  E  x  N  x  (N  U  {oo})  x  B(N)  is  the  set  of  rules,  where  B(N) 
is  the  set  of  boolean  functions  b  :  {0,  l}Ar  — >  {0, 1}, 

•  #  C  E  x  E  is  the  (symmetric)  conflict  relation  between  events. 

An  action  a  £  A  can  be  either  a  rising  or  a  falling  transition  of  a  signal 
:r  £  N.  There  is  also  the  dummy  action  $  which  does  not  result  in  any  signal 
transition.  An  event  e  £  E  is  a  pair  (a,i),  with  a  £  A  and  i  £  N,  denoting 
the  ith  occurrence  of  action  a.  A  rule  r  £  R  is  a  tuple  of  the  form  (e,  /,  /,  u.  b), 
where  e  is  the  event  enabling  the  rule,  /  is  the  event  enabled  as  effect  of  the 
rule,  (l,  u)  is  a  pair  of  upper  and  lower  integer  time  bounds,  and  the  enabling 
condition  h  £  B(N)  is  a  boolean  function  on  signal  values. 
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The  semantics  of  TEL  structures  can  be  described  informally  as  follows: 
A  rule  becomes  enabled  once  its  enabling  event  has  occurred  and  its  boolean 
enabling  condition  is  true  for  the  current  signal  assignment.  After  the  lower 
time  bound  l  passes  since  the  enabling  of  a  rule,  the  rule  is  called  satisfied ; 
from  this  time  point  on,  the  rule  can  fire.  After  the  passage  of  the  upper  time 
bound  u  since  its  enabling,  a  rule  becomes  expired.  In  the  absence  of  conflicts, 
an  event  has  to  occur  after  all  rules  enabling  it  are  satisfied,  and  before  any 
of  them  expires.  Should  a  rule’s  boolean  enabling  condition  become  false 
after  the  rule  is  enabled,  this  constitutes  a  hazard  and  represents  a  failure 
during  verification. 

The  conflict  relation  #  can  be  used  to  model  choice  and  disjunctive  be¬ 
havior.  If  two  events  e\  and  e2  are  marked  as  being  in  conflict,  ei#e2,  one 
of  the  two  can  occur,  but  not  both.  If  two  rules  and  r2  have  the  same 
enabling  event  e,  but  conflicting  events  ei^e2  as  effect,  then  only  one  of  the 
rules  can  fire,  causing  the  corresponding  effect  to  occur.  This  models  nonde- 
terministic  choice.  Conversely,  if  an  event  e  appears  as  an  effect  of  two  rules 
with  conflicting  enabling  events,  only  one  of  these  events  needs  to  happen 
(and  only  one  rule  needs  to  fire)  for  the  effect  e  to  occur. 

4.2.2  State  Space  Exploration  Using  POSETs 

We  next  describe  the  data  structures  and  the  exploration  algorithm  used 
in  the  POSET  approach  of  Belluomini  and  Myers  [BM98],  to  establish  a 
comparison  point  for  the  application  of  partial  order  reduction.  In  TEL 
structures,  a  timed  state  is  represented  as  a  tuple  (sc,  Rm.  M,  Rf),  where: 

•  sc  is  the  control  state  representing  the  values  of  the  signals, 

•  Rm  is  the  set  of  marked  rules,  whose  enabling  event  has  occurred, 

•  M  is  the  constraint  matrix ,  a  difference  bound  matrix  containing  the 
maximum  differences  between  the  enabling  times  of  all  enabled  rules 

•  R{  is  the  set  of  rules  that  have  already  fired 

The  set  of  marked  rules  Rm  together  with  values  of  the  signals  in  sc 
determine  the  set  of  enabled  rules  Ren.  These  are  the  rules  for  which  timing 
information  is  maintained  in  the  constraint  matrix  M.  For  the  fired  rules 
in  R{,  no  timing  information  about  them  needs  to  be  maintained  in  the 
constraint  matrix,  but  the  fact  that  they  have  fired  must  be  recorded. 
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A  state  space  exploration  step  in  a  TEL  structure  consists  of  determining 
the  set  of  satisfied  rules  Rs,  choosing  a  satisfied  rule  to  fire,  and  comput¬ 
ing  the  resulting  new  timed  state.  A  depth-first  search  of  the  state  space 
would  consider  in  turn  the  firing  of  each  rule  among  the  satisfied  rules  in  /?.s . 
However,  each  interleaving  of  rule  firings  would  typically  generate  a  different 
constraint  matrix  M  (that  is,  a  different  timing  region),  leading  to  an  ex¬ 
ponential  number  of  different  timed  states.  The  POSET  method  generates 
a  timed  state  space  consisting  of  fewer  and  larger  timing  regions.  To  this 
effect,  the  algorithm  maintains  in  addition  to  the  constraint  matrix  (which 
contains  separation  times  between  enabled  rules)  another  difference  bound 
matrix,  called  POSET  matrix,  which  keeps  track  of  relationships  between 
event  firing  times  that  are  allowed  by  the  given  rule  firing  sequence.  As  a 
result,  the  timing  behaviors  represented  in  the  constraint  matrix  are  only 
constrained  by  the  causality  in  the  firing  sequence,  and  no  longer  by  its  total 
order,  resulting  in  a  significantly  reduced  number  of  timed  states. 

However,  the  method  still  requires  multiple  rule  interleavings  to  be  ex¬ 
plored,  even  though  with  the  use  of  POSETs  the  same  timing  region  is  gener¬ 
ated  in  the  state  space.  Also,  some  computation  steps  for  the  constraint  ma¬ 
trix  still  take  into  account  the  chosen  total  order  of  rule  interleavings,  which 
results  in  unnecessary  overhead.  In  the  following,  we  present  the  POSET  al¬ 
gorithm  by  working  through  an  example  which  showcases  both  its  strengths 
and  limitations,  and  finally  present  an  improved  algorithm  which  takes  ad¬ 
vantage  of  partial  order  reduction. 

The  POSET  algorithm  decouples  rule  firing  from  event  firing:  A  rule  can 
fire  as  soon  as  it  is  satisfied,  i.e.,  it  has  been  enabled  for  at  least,  its  lower  time 
bound.  An  event  fires  only  once  all  its  enabling  rules  have  fired.  The  causal 
rule  rc  for  an  event  e  is  therefore  the  last  rule  that  fires  and  consequently 
enables  the  event.  Conversely,  the  causal  event  for  a.  rule  r  =  (ec,e,l,u,b)  can 
be  either  the  enabling  event  ec  or  some  later  event  that  causes  the  enabling 
condition  b  to  be  satisfied.  Finally,  note  that  the  causal  event  ec  of  an  event 
e  is  the  causal  event  of  its  causal  rule  rc,  and  the  minimum  and  maximum 
separation  times  between  ec  and  e  are  consequently  given  by  rc. 

Taking  these  causality  relations  into  account,  the  POSET  algorithm  pro¬ 
ceeds  as  follows:  from  the  timed  state  (sc.  Rm,  M,  R{),  the  set  of  satisfied 
rules  is  computed  and  a  rule  r  that  can  fire  first  among  these  is  selected. 
The  rule  r  is  removed  from  the  set  of  marked  rules  Rm  and  added  to  the  set 
of  fired  rules  R\.  Next,  the  algorithm  checks  whether  as  a  result  of  firing  r 
any  event  can  fire.  If  yes,  the  untimed  state  is  updated,  the  enabling  rules 
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of  the  event  are  removed  from  Rf,  and  any  conflicting  rules  are  removed 
from  Rm  and  R{.  Finally,  the  POSET  matrix  is  updated  and  the  new  event 
separations  are  used  to  update  the  constraint  matrix. 

When  adding  a  new  event  e  to  the  POSET  matrix,  the  separation  times  to 
the  events  that  influence  e  (and  therefore  exist  in  the  POSET  matrix)  must 
be  taken  into  account.  This  includes  the  causal  event  of  e,  the  enabling  events 
of  any  rules  that  enable  e,  and  the  events  occurring  in  the  boolean  conditions 
of  these  rules.  Determining  these  separation  times  is  straightforward  and  is 
described  in  detail  in  [BMH99] .  The  separation  times  between  the  new  event 
e  and  any  other  events  in  the  POSET  matrix  are  simply  a  consequence  of 
existing  separation  times  and  are  computed  by  canonicalizing  the  matrix 
using  the  all-pairs  shortest  paths  algorithm.  After  this  step,  all  events  which 
are  no  longer  relevant  to  the  evolution  of  the  system  (i.e.,  are  not  causal  for 
any  of  the  marked  rules  in  Rm )  are  removed  from  the  matrix. 

As  a  last  step,  all  rules  enabled  by  the  firing  of  the  new  event  need  to  be 
added  to  the  constraint  matrix  M.  Since  the  enabling  time  of  a  rule  is  simply 
the  timepoint  of  its  enabling  event,  the  needed  minimum  and  maximum 
separation  times  between  the  new  rules  and  the  existing  ones  can  simply  be 
copied  from  the  POSET  matrix.  The  constraint  matrix  is  then  canonicalized, 
which  can  further  constrain  some  of  its  entries,  since  the  age  of  a  rule  cannot 
exceed  its  maximum  bound  u.  Finally,  the  rule  whose  firing  caused  this 
computation  step  (and  which  is  thus  no  longer  in  Ren)  is  removed  from  the 
constraint  matrix. 

We  illustrate  the  application  of  the  POSET  algorithm  by  means  of  a  small 
example,  taken  for  purposes  of  comparison  from  [BM98].  Figure  4.1  depicts 
a  timed  event/level  structure,  in  which  events  are  represented  as  nodes  and 
rules  as  directed  edges  (labeled  with  time  bounds)  connecting  them.  For 
simplicity,  no  level  dependencies  are  included  in  this  case,  which  means  that 
all  boolean  conditions  of  the  rules  are  true.  Thus,  the  sole  triggering  condition 
for  a  rule  is  its  enabling  event. 

Initially,  event  A  has  just  fired,  and  the  set  of  marked  (and  enabled) 
rules  is  Ren  =  {(A,  B),  (A,  C)}  (we  can  unambiguously  denote  a  rule  by  its 
triggering  and  resulting  events).  The  POSET  matrix  is  trivial  and  contains 
the  single  event  A.  The  constraint  matrix  compares  the  ages  of  the  enabled 
rules,  i.e.,  the  amount  of  time  passed  since  each  rule  has  been  enabled.  These 
are  quantities  that  increase  at  the  same  rate  with  passage  of  time,  just  like 
the  clocks  in  a  timed  automaton.  Similarly,  the  matrix  contains  a  dummy 
clock  which  has  always  age  0. 
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Figure  4.1:  Sample  timed  event/level  structure 

The  representation  defined  in  [BM98],  which  we  observe  for  reasons  of 
consistency,  defines  the  matrix  entry  rriij  to  be  Cj  —  c,,  where  q  is  the  age  of 
the  rule  rt.  Thus,  rows  and  columns  are  swapped  compared  to  the  usual  DBM 
representation.  In  an  alternate  view,  we  can  state  that  rriij  =  t(e,-)  — 
where  e,  is  the  causal  event  for  rule  r,  and  t,(et)  its  firing  time.  In  this  case, 
the  zero  row  and  column  denotes  the  current  time  t,  and  mo?  =  t  —  t(ej). 

The  entries  in  row  0  are  thus  set  to  the  maximum  possible  age  for  each 
rule,  given  by  its  upper  bound  u,  since  the  constraint  matrix  contains  rules 
which  have  not  yet  fired.  In  this  case,  both  rules  are  enabled  by  the  same 
event  A  and  therefore  have  identical  enabling  times,  ivabac  —  iiiacab  =  0. 
We  have  t  —  t(A)  <7  =  mo, /is  due  to  rule  (A  B),  and  t  —  t(A)  <  5  =  m0,AC 
due  to  rule  ( A,C ).  The  latter  bound  is  stronger  and  thus  constraining  for 
both  rules,  after  the  matrix  is  canonicalized.  The  elements  of  column  0  are 
0,  since  the  only  constraint  on  the  ages  of  rules  is  that  they  be  positive.  The 
state  of  the  TEL  structure  is  therefore  as  follows: 

Constraint  matrix  POSET  matrix 

0  (A,  B)  (A,  C) 

0  [0  5  5  A 

(A,  B)  0  0  0  A  fO 

(A,  C)  0  0  0 

Next,  either  rule  (A,  B)  or  rule  (A,  C)  can  fire.  Consider  first  the  firing 
of  (A,  B)  which  causes  event  B  to  occur.  Event  B  is  added  to  the  POSET 
matrix,  with  rule  (A,  B)  giving  the  minimum  and  maximum  separation  times 
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of  3  and  7  from  event  A:  3  <  t(B)  -  t(A)  <  7.  Rule  (B.  D)  triggered  by 
the  new  event  B  is  added  to  the  constraint  matrix  and  rule  ( A ,  B)  which  has 
fired  is  removed.  The  new  constraints  are  t(A)  —  t  <  niAC,o  =  —3  (at  least 
3  time  units  have  passed  since  A,  since  B  has  fired),  mo,BD  —  2  (maximum 
firing  time  of  rule  ( B.D )),  and  t(A)  —  t(B)  <  v(\.ac,bd  —  —  3  (again,  due  to 
the  firing  of  B  after  A).  The  remaining  entry  m « d,ac  =  5  is  obtained  from 
canonicalization,  which  reduces  it  compared  to  t(A)  —  t(B )  <  7  from  the 
POSET  matrix.  The  resulting  state  is: 


Constraint  matrix 


0 

(AC) 

(B,D) 


o  (AC)  (BM) 

0  5  2 

-3  0  -3 

0  5  0 


POSET  matrix 

A  B 
A  0  -3 

R70 


In  this  state,  either  rule  (A,  C)  (implying  event  C)  or  rule  ( B ,  D)  can  fire 
and  we  explore  the  firing  of  the  former.  Event  C  is  added  to  the  POSET 
matrix,  with  a  separation  time  from  A  between  2  and  5,  given  by  the  fired 
rule.  At  this  point,  all  rules  triggered  by  A  have  fired  and  the  event  can 
be  removed  from  the  POSET  matrix.  The  remaining  separations  in  this 
matrix  are:  t(B)  —  t(C)  =  ( t(B )  —  t(A))  —  (t(C)  —  t(A))  <7  —  2  =  5  and 
t(C)-t(B)  =  ( t(C)-t(A))-(t(B)-t(A ))  =  5-3  =  2.  Likewise,  the  fired  rule 
(A,  C)  is  removed  from  the  constraint  matrix  and  the  two  rules  newly  enabled 
by  event  C  are  added  to  it.  The  new  constraint  is  t  -  t(B)  <  2  =  m0,BD, 
from  the  upper  firing  bound  of  rule  (B,D).  By  canonicalization,  we  obtain 
mo, cd  =  m0,BD  +  mBD,CD  =  2  +  5  =  7.  Finally,  the  last  two  rows  and 
columns  are  identical,  since  their  rules  have  the  same  causal  event. 


0 

(B,D) 
(C,  D) 
(C,E) 


Constraint  matrix 
0  (B,D)  {C,D)  (C,E) 

0  2  7  7 

0  0  5  5 

0  2  0  0 

0  2  0  0 


POSET 

matrix 

B  C 
B  p  5 
C  2  0 


Two  characteristics  of  the  POSET  method  become  apparent  at  this  step. 
First,  even  though  in  the  current  rule  firing  sequence  B  happens  before  C, 
the  POSET  matrix  does  not  contain  this  restriction.  The  separation  times 
between  B  and  C  in  the  POSET  matrix  are  only  determined  by  their  causal 
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dependence  on  A.  Second,  this  is  also  true  of  the  constraint  matrix,  which 
also  contains  all  timing  assignments  allowed  by  the  causality  in  the  firing 
sequence,  in  particular,  assignments  where  C  fires  before  B. 

The  exploration  process  would  continue  here  using  the  same  algorithm. 
Once  both  rules  ( B ,  D)  and  (C,  D)  have  fired,  event.  D  fires,  and  in  this  case 
two  cases  must  be  analyzed,  depending  on  whether  B  or  C  is  causal.  We 
will  return  to  this  example  in  the  next  section,  to  illustrate  how  the  POSET 
algorithm  can  be  improved  by  using  partial  orders. 

4.2.3  An  Improved  Algorithm  for  TEL  Structures 

Besides  its  improvements  in  reducing  the  number  of  generated  timing  regions, 
the  POSET  algorithm  still  suffers  from  inefficiencies.  First,  the  method  still 
has  to  exploit  redundant  interleavings  of  rule  firing  sequences.  For  instance, 
in  the  example  above,  after  choosing  ( A.B )  to  fire  ahead  of  ( A,C },  the 
algorithm  still  has  to  consider  the  alternate  interleaving,  which  in  the  POSET 
approach  leads  to  the  same  timing  region.  A  second  overhead  resulting  from 
firing  rules  in  a  total  order  is  that  time  separations  which  are  copied  from 
the  POSET  matrix  to  the  constraint  matrix  have  to  be  adjusted  to  account 
for  the  fact  that  the  age  of  a  rule  cannot  exceed  its  upper  time  bound.  In 
fact,  the  constraint  and  POSET  matrices  duplicate  a  significant  amount  of 
information.  We  address  these  issues  in  a  new  algorithm.  Optimizations 
to  remove  redundant  rule  interleavings  are  also  discussed  in  the  thesis  of 
Belluomini  [Bel99],  with  the  goal  of  generating  only  one  POSET  matrix  per 
causal  rule.  However,  they  seem  limited  to  certain  timing  conditions,  whereas 
we  address  the  problem  in  the  general  framework  of  partial  orders. 

As  before,  denote  by  sc  the  state  of  the  signals  in  the  model,  by  Rm  the 
set  of  marked  rules  (whose  enabling  event  has  fired),  and  let  Em  be  the  set  of 
events  enabling  these  rules.  An  event  is  added  to  Em  as  it  fires,  and  removed 
when  all  the  rules  enabled  by  it  have  either  fired  or  expired.  We  maintain 
information  about  the  time  separation  of  events  from  Em  in  a  difference 
bound  matrix  Me  which  we  call  event  matrix  and  which  serves  the  same  role 
as  the  POSET  matrix  in  the  approach  presented  above.  Since  the  separation 
time  between  rules  is  determined  directly  by  the  separation  times  between 
the  corresponding  events,  we  will  attempt  as  much  as  possible  to  avoid  the 
inclusion  of  rule  timings  in  the  data  structures  describing  a  state. 

To  apply  partial  order  reduction,  we  next  need  to  define  the  key  notion  of 
visibility  and  dependence  for  system  transitions  (i.e.,  event  occurrences).  We 
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focus  on  the  verification  of  next-time  free  linear  temporal  logic,  and  assume 
that  the  atomic  propositions  are  defined  in  terms  of  signal  values  and  time 
differences  between  events.  Then,  a  visible  transition  is  either  an  event  on 
a  signal  mentioned  in  the  specification,  or  an  event  that  appears  in  a  time 
constraint  in  the  specification.  All  other  events  produce  changes  in  the  timed 
state  that  are  the  specification  cannot  observe. 

Let  us  examine  the  dependence  relation  between  events.  Clearly,  two 
events  are  dependent  if  they  are  defined  as  being  in  conflict,  ei#e2.  (If  they 
are  both  caused  by  a  rule  with  the  same  enabling  event,  the  conflict  rela¬ 
tion  specifies  that  only  one  of  them  can  happen).  Whether  this  completely 
defines  the  dependence  relation  depends  on  the  disabling  or  non- disabling 
semantics  [BM97]  adopted  for  the  TEL  structure.  In  the  non-disabling  se¬ 
mantics,  once  a  rule  is  enabled,  it  cannot  become  disabled  because  of  a  change 
in  state.  In  the  disabling  semantics,  an  enabled  rule  can  become  disabled  be¬ 
cause  of  another  event  that  causes  its  boolean  condition  to  become  false.  In 
the  latter  case,  for  an  event  to  fire,  all  of  the  rules  causing  an  event  need  to 
be  continuously  enabled  up  to  its  firing  time. 

Denote  by  disable(e)  the  set  of  events  that  can  disable  an  event  e.  In 
the  non-disabling  semantics,  we  have  disable(e)  =  {e!  |  e#e'},  since  except 
for  choice  conflicts,  nothing  can  disable  any  of  the  rules  causing  e,  once 
they  are  enabled.  In  the  disabling  semantics,  e  can  also  be  disabled  by  an 
event  that  falsifies  the  boolean  condition  on  a  rule  enabling  e.  We  approxi¬ 
mate  this  conservatively  with  the  set  of  all  events  on  the  signals  appearing 
in  the  boolean  conditions  of  these  rules  (a  more  detailed  analysis  of  these 
conditions  may  restrict  this  set  on  a  case  by  case  basis).  Formally,  define 
disable(e )  =  {e!  |  e#e'}  U  {s±  |  (e',e,l,u,b)  G  R  and  s  appears  in  b},  where 
s±  denotes  an  arbitrary  rising  or  falling  event  on  signal  s.  We  call  events  ei 
and  e2  independent  if  e2  ^  disable(e i)  and  e\  disable^) ■  Here,  the  defini¬ 
tion  of  disable  ensures  the  enabledness  condition,  whereas  the  commutativity 
condition  is  trivially  satisfied  since  the  effect  of  an  event  on  a  state  is  merely 
to  toggle  a  signal. 

Having  defined  the  notions  of  visibility  and  dependence,  we  can  proceed 
to  define  an  ample  set  of  transitions  to  explore  at  a  given  state  s.  We  need 
to  ensure  condition  Cl,  i.e.,  that  a  transition  which  conflicts  with  an  ample 
transition  is  either  enabled  and  included  in  the  ample  set,  or  disabled  and 
cannot  be  enabled  without  executing  an  ample  transition.  To  guarantee  this, 
we  adapt  the  approach  taken  by  Valmari  for  stubborn  sets  [Val90]  and  then 
by  Yoneda  et  al.  [YS97]  for  time  Petri  nets. 
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An  event  e'  is  relevant  for  the  execution  of  another  event  e  at.  a  given 
state  if  either  e  and  e'  are  dependent  or  if  both  are  visible.  To  handle  relevant 
events  which  are  disabled  at  the  current  state,  we  say  that  a  set  of  events 
En  is  necessary  for  a  disabled  event  e  at  a  given  state  if  e  cannot  be  enabled 
without  executing  an  event  from  En  first.  In  general,  an  event  e  is  enabled 
by  multiple  rules.  If  these  rules  have  non-conflicting  enabling  events,  then 
by  definition,  all  of  these  events  have  to  fire  in  order  for  e  to  fire.  Thus,  any 
enabling  event  of  e  forms  a  necessary  set  by  itself.  If  some  of  the  enabling 
events  are  conflicting,  several  of  them  may  have  to  be  chosen  to  form  a 
necessary  set. 

For  every  event  e'  which  is  relevant  to  another  event  e  we  consider  a  set 
necessary* (e7)  which  contains  e1  and  is  transitively  closed  under  necessity, 
i.e.,  if  e"  G  necessary*  (e')  is  disabled,  there  exists  a  set  of  events  En  which 
is  necessary  for  e"  and  included  in  necessary*  (e1).  Finally,  a  set  of  events 
dependency(e)  is  called  a  dependency  set  for  e  if  for  any  event  e!  which  is 
relevant  for  e  there  exists  a  set  necessary*  (e')  for  which  all  enabled  transitions 
belong  to  dependency  (e) . 

In  general,  including  dependency  (e)  in  the  ample  set  together  with  any 
ample  event  e  is  sufficient  to  guarantee  condition  Cl.  However,  a  timed 
system  has  characteristics  that  make  it  possible  to  define  smaller  ample  sets 
than  in  the  untimed  case  [YS97].  Specifically,  of  all  the  events  that  can  occur 
at  a  given  timed  state,  only  a  subset  can  occur  before  any  other  event.  We 
call  such  an  event  firable.  since  it  can  fire  first.,  before  any  other  event.  Since 
an  event  sequence  executed  from  a  given  timed  state  can  only  start  with  an 
event  which  is  firable  at  that,  state,  our  ample  set  will  also  consist  only  of 
firable  events.  We  can  therefore  modify  a  procedure  to  select  an  ample  set 
in  an  untimed  system  as  follows: 

1.  Start  with  a  ample(s)  =  {e}  for  some  firable  invisible  event  e.  If  there 
is  none,  simply  return  the  set  of  all  firable  events  as  an  ample  set. 

2.  For  any  event  e'  that  belongs  to  dependency (e)  for  some  e  G  ample(s),  if 
e'  is  firable  before  all  events  from  ample(s),  add  e!  to  ample (s).  Iterate 
until  a  fixpoint  is  reached. 

Every  event  added  to  ample (s)  by  the  above  algorithm  is  firable.  The 
transitive  closure  operation  in  step  2  ensures  that  all  firable  events  which 
might  eventually  lead  to  an  event  dependent  of  an  ample  event  belong  to  the 
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ample  set,  and  Cl  is  satisfied.  Likewise,  the  ample  set  contains  at  least  one 
invisible  transition  if  one  exists,  and  includes  in  step  2  all  visible  transitions 
if  one  is  included.  This  ensures  condition  C2.  Condition  C3  is  ensured  dy¬ 
namically  in  case  of  depth-first  search,  or  using  static  partial  order  reduction. 

We  can  also  choose  an  ample  set  that  contains  non-firable  events  if  all 
events  in  the  ample  set  are  invisible.  In  this  case,  the  invisibility  condition 
ensures  that  no  additional  behaviors  are  added  by  exploring  a  non-firable 
event  first.  However,  with  such  a  choice,  an  actual  reduction  of  the  state 
space  is  not  guaranteed,  since  the  ample  set  algorithm  may  explore  transitions 
which  are  not  firable  in  the  original  system. 

With  the  selection  of  ample  sets  in  place,  the  partial  order  exploration 
proceeds  as  follows.  A  timed  state  is  a  tuple  (, sc,  Rm,  Em,  Me ),  consisting  of 
the  signal  state,  the  set  of  marked  rules,  the  marked  events  and  the  event  ma¬ 
trix  containing  their  time  separations.  From  this  timed  state,  one  determines 
the  set  of  enabled  events  and  an  ample  set.  Each  event  e  in  the  ample  set 
is  selected  in  turn  for  firing,  assuming  a  depth-first,  search.  Once  the  event 
fires,  it  is  added  to  Em  and  to  the  event  matrix  Me  with  the  appropriate 
timing  separations  given  by  its  enabling  rules.  Next,  these  rules  are  removed 
from  Rm  and  the  rules  whose  enabling  event  is  e  are  added  to  Rm.  Finally, 
any  event  that  is  no  longer  enabling  for  any  of  the  rules  in  Rm  is  removed 
from  Em  and  the  event  matrix. 

Our  algorithm  no  longer  considers  the  rule  firing  times  explicitly  and 
separately  from  the  firing  of  events.  However,  it  still  has  to  take  into  account 
which  rule  is  causal  to  the  firing  of  an  event.  Recall  that  a  rule  can  fire 
anytime  after  it  has  been  enabled  for  its  lower  time  bound,  and  before  its 
upper  time  bound  expires.  An  event  fires  at  the  same  time  as  its  last  enabling 
rule.  In  our  algorithm,  this  is  done  as  follows.  Consider  an  event  e  enabled  by 
k  rules,  r,  =  (e,,  e,  U,  uu  b{ ),  with  1  <  i  <  k,  and  let  tin)  be  their  firing  times. 
Since  the  event  e  fires  after  all  of  its  enabling  rules,  we  have  t(e)  >  t(r*), 
and  the  lower  bounds  on  the  rules  imply  t(e)  —  t(ei)  >  t(ri )  —  tfe*)  >  /j,  for 
1  <  i  <  k.  Potentially,  each  of  the  rules  n  can  be  causal,  in  which  case  we  also 
have  t(e)  =  t(ri),  and  the  upper  bound  implies  t(e)  — t(e,-)  =  f(Vj)  —  f(e,)  <  Ui. 
Considering  each  causal  rule  separately,  we  generate  potentially  k  different 
successor  regions  (some  may  be  empty,  overlap  or  generate  convex  unions). 
This  procedure  shows  another  advantage  of  our  approach:  if  multiple  rules 
enable  the  same  event,  we  only  need  to  distinguish  which  rule  fires  last, 
instead  of  generating  all  interleavings. 

To  illustrate  the  algorithm  using  the  same  example  as  in  the  previous 
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section,  consider  the  state  reached  after  firing  B  and  C.  We  have  Em  = 
{ B ,  C},  Rm  =  {(B,  D },  ( C ,  D ),  (C,  17}},  and  the  event  matrix  is: 

B  C 
B  ro  5~ 

C  2  0 

Next,  events  D  and  E  can  fire,  and  either  of  them  can  fire  first.  If  we  select 
D,  we  need  to  analyze  the  possible  causal  events,  B  and  C.  If  B  is  causal, 
the  bounds  on  the  rules  imply  1  <  t(D )  —  t{B )  <  2  and  6  <  t(D)  —  t(C). 
The  upper  bound  on  t(D)  —  t(C)  is  obtained  by  canonicalizing  the  matrix, 
t(D)  -  t{C)  =  t(D)  -  t(B)  +  t(B)  -  t(C)  <2  +  5  =  7.  If  C  is  causal, 
we  have  1  <  t(D)  -  t(B )  and  6  <  t(D)  -  t(C)  <  10,  and  t(D)  -  t(B )  = 
t(D )  —  t(C)  +  t(C)  —  t(B)  <  10  +  2  =  12  is  obtained  from  canonicalization: 
B  causal  to  D  C  causal  to  D 
BCD  BCD 

B  p  5  -1  B 

C  2  0  -6  C 

D  2  7  0  D 

In  this  particular  case,  the  region  obtained  is  a  superset  of  the  one  above. 
In  both  cases,  since  all  rules  with  enabling  event  B  have  fired,  B  can  be  now 
removed  from  the  event  matrix. 

A  note  about  the  computation  of  ample  sets.  Since  we  need  to  ensure 
that  each  ample  event  is  Arable,  this  entails  adding  all  enabled  events  to 
the  the  event  matrix  (which  contains  all  relevant  fired  events)  and  checking 
which  event  can  fire  first.  Of  all  enabled  events,  only  the  one  currently  fired 
needs  to  be  retained  in  the  matrix,  yet  all  others  may  need  to  be  added 
again  when  the  check  for  firable  events  is  done  in  the  next  exploration  step. 
To  avoid  the  recomputation  of  separation  times,  we  can  manipulate  during 
state  space  search  a  matrix  that  contains  separations  between  both  past 
events  and  currently  enabled  rules  (events).  However,  only  the  event  matrix 
proper  (containing  fired  events)  needs  to  be  stored  in  the  set  of  reached  states. 
This  results  in  savings  over  the  use  of  the  constraint  matrix  in  the  POSET 
approach. 
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Chapter  5 

A  Partial  Order  Reduction 
Framework  for  Timed  Systems 

5.1  Background  and  Motivation 

In  this  chapter,  we  present  a  general  method  for  applying  partial  order  re¬ 
duction  to  timed  systems.  Our  goal  is  to  compare  and  unify  the  various  ap¬ 
proaches  to  partial  order  reduction  that  have  been  employed  so  far  for  models 
such  as  time  Petri  nets,  timed  automata  and  timed  event/level  structures. 
We  identify  a  common  approach  to  partial  order  reduction,  and  present  how 
some  of  the  discussed  algorithms  could  benefit  from  it. 

We  use  a  general  timed  model,  for  which  we  present  a  trace-based  se¬ 
mantics  which  relaxes  some  constraints  on  the  time  ordering  of  transitions. 
This  avoids  unnecessary  dependencies  related  to  timing.  We  show  how  this 
relaxed  semantics  can  be  used  with  an  exploration  algorithm  based  on  timed 
regions,  and  how  the  semantics  naturally  leads  to  the  application  of  partial 
order  reduction.  Finally,  we  discuss  how  this  framework  can  be  particularized 
for  some  commonly  used  timed  models. 

The  approaches  to  partial  order  reduction  for  timed  systems  have  so  far 
been  quite  diverse,  and  at  the  same  time  heavily  dependent  on  the  choice 
of  the  model.  We  briefly  reexamine  and  compare  the  commonalities  and 
differences  in  some  of  these  methods. 

One  of  the  first  approaches  has  been  presented  by  Yoneda,  Schlingloff 
et  al.  [YSSC93,  YS97]  for  time  Petri  nets,  which  have  a  lower  and  upper 
firing  bound  associated  with  each  transition.  Time  variables  are  introduced 
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for  firing  times  of  transitions  and  for  the  timepoints  when  a  place  receives 
or  loses  a  token.  The  state  space  exploration  algorithm  operates  on  regions 
(called  atoms )  which  consist  of  a  marking  of  the  net  and  a  conjunction  of 
difference  inequalities  over  the  time  variables  of  the  net.  The  reduced  set 
of  transitions  chosen  for  exploration  (called  ready  set )  is  adapted  from  the 
stubborn  sets  of  Valmari  [Val90]  for  untimed  Petri  nets. 

Despite  exploring  a  reduced  set  of  transitions,  the  partial  order  algorithm 
still  accounts  for  all  execution  sequences  by  using  less  restrictive  timing  con¬ 
straints.  Without  partial  orders,  each  explored  transition  has  to  fire  at  an 
earlier  time  than  any  other  enabled  transition.  This  serialization  constraint 
causes  the  generation  of  a  distinct  timed  region  for  each  transition  interleav¬ 
ing.  In  contrast,  the  partial  order  algorithm  only  requires  a  transition  from 
the  ready  set  to  fire  earlier  than  any  other  transition  from  the  ready  set. 

Avoiding  a  specific  time  ordering  for  independent  transitions  is  a  very 
general  approach.  However,  the  correctness  proof  in  [YS97]  relies  heavily  on 
the  particular  form  of  the  constraints  in  time  Petri  nets.  Moreover,  the  proof 
is  complicated  by  the  fact  that  the  state  space  explored  using  partial  orders 
is  not  a  subset  of  the  original  one.  Lilius  [Lil98]  proposes  to  obtain  better 
reduction  by  not  storing  any  information  on  transition  firing  order  in  the 
timed  state.  However,  this  approach  only  preserves  the  reachable  markings 
of  the  net,  and  not  the  timing  information. 

The  POSET  approach  to  the  verification  of  timed  event/level  structures 
operates,  as  its  name  states,  on  partially  ordered  sets  of  events.  However, 
as  discussed  in  Chapter  4,  it  is  still  effectively  based  on  exploring  a  total 
order  of  rule  firings,  a  fact  which  is  reflected  in  its  dual  data  structures  for 
rules  and  events.  Optimizations  presented  in  [Bel99]  avoid  redundant  rule 
interleavings  in  some  cases,  but  are  based  on  specific  details  of  the  event/level 
model,  rather  than  on  a  general  notion  of  partial  orders. 

For  timed  automata,  the  initial  approaches  of  Pagani  [Pag96,  Pag97]  as 
well  as  of  Dams  et.  al  [DGKK98]  offer  relatively  little  potential  for  reduction, 
because  the  global  passage  of  time  leads  to  inherent  transition  dependencies. 
The  local  time  model  of  Bengtsson  et  al.  [BJLW98],  extended  in  Chapter  3 
removes  this  synchronization  and  restores  the  transition  independence  of  the 
underlying  untimed  system.  It  applies  the  same  general  principle  as  [YS97], 
allowing  independent  transitions  to  be  explored  without  being  serialized  in 
time.  Yet,  the  approach  relies  on  the  system’s  structure  as  product  of  parallel 
components,  setting  it  off  from  Petri  nets  and  TEL  structures.  Moreover,  it 
depends  on  the  fact  that  clocks  cannot  be  shared  between  automata. 
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In  the  following,  we  define  an  approach  to  partial  order  reduction  tech¬ 
nique  which  encompasses  and  refines  the  fundamental  ideas  mentioned  above, 
and  apply  it  to  a  generic  timed  model,  which  uses  the  basic  notions  of  timed 
states  and  timed  transitions. 


5.2  Timed  Structures  and  Traces 

Definition  16  A  timed  structure  is  a  tuple  Q  —  (St,  S®,T,  N),  where: 

•  St  is  a  set  of  timed  states 

•  S®  C  S  is  a  subset  of  initial  timed  states 

•  T  is  a  finite  set  of  transitions 

•  N  :  St  x  (R+  xT)-»  St  is  a  partial  next-state  function  that  defines  a 
set  of  timed  transitions  (t,  a)  with  t  £  R+  and  a  £  T. 

Consider  a  state  s  €  St,  a  transition  a  £  T  and  a  timepoint.  t  £  R+. 
If  (s,  t.  a )  £  dom  N .  we  say  that  transition  a  can  be  taken  from  state  s  at 

timepoint  t,  and  leads  to  state  s'  —  N(s,t,a).  We  denote  this  by  s  -4  s'. 

A  timed  transition  (t,  a)  is  enabled  at  state  s  £  St  if  for  some  state 
s'  £  St  we  have  s  ^  s'.  As  before,  we  denote  the  set  of  all  such  transitions 
by  enabled  (s).  A  transition  a  is  future  enabled  at  state  s  and  time  t  if  it  can 
be  executed  at  some  timepoint  t'  >  t.  We  denote  this  set  by  enabled+(s,  t )  = 
{a  £  T  |  3t'  >  t .  ( t',a )  £  enabled (s)}.  The  upper  bound  on  the  firing  time 
of  a  at  s  is  denoted  by  firenmx(a,  s )  =  sup  {f  £  R+  |  (t,  a)  £  enabled (s)}.  We 
write  t  -<  firemax(a,  s)  to  denote  a  strict  inequality  if  the  upper  firing  bound 
is  not  reached,  and  a  non-strict  inequality  otherwise. 

A  model  for  a  timed  structure  Q  is  a  state-transition  graph,  defined  by 
means  of  its  execution  traces,  on  which  we  impose  two  conditions.  First, 
the  execution  times  of  transitions  have  to  form  a  monotonically  increasing 
sequence.  Second,  an  enabled  transition  has  to  fire  if  it  is  not  disabled  before 
its  maximum  firing  time.  Consequently,  some  transition  has  to  fire  at  a  state 
before  the  maximum  firing  time  of  any  enabled  transition  elapses. 

For  example,  assume  that  the  system  has  reached  the  timed  state  s  at 
timepoint  t  =  1,  and  that  the  enabled  transitions  are  a  and  b  with  upper 
bounds  of  5  and  7,  respectively.  Then,  the  next  transition  has  to  be  executed 
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from  state  s  before  or  at  timepoint  5.  which  is  the  smallest  of  the  two  upper 
bounds.  For  instance,  the  next  transition  cannot  be  b  at  timepoint  6,  since 
a  would  have  had  to  fire  earlier  than  that. 

Thus,  if  state  s  is  reached  at  time  f,  the  firing  time  t'  of  the  next  transition 
has  to  satisfy  t  <t'  X  firem&x(a,  s),  for  all  a  G  enabled*  (s.t). 


Definition  17  The  family  CS(Q)  of  execution  traces  of  a  timed  structure  Q 

tj  ,(lj 


contains  all  infinite  sequences  a  =  sq  si  h-^2  s-2 . 


such  that 


U  <  U+ i  X  /*remax(°)  si)  for  i  >  0.  a  G  enabled* (si,tj)  (where  to  =  0). 


In  the  following,  we  restrict  our  attention  to  non- Zeno  traces,  in  which 
only  a  finite  number  of  transitions  can  occur  within  any  finite  interval.  Con¬ 
sequently,  in  any  non-Zeno  trace,  time  grows  unbounded  towards  infinity. 


5.3  A  Relaxed  Timing  Semantics 


5.3.1  Preliminaries 


In  practice,  state  space  exploration  algorithms  operate  on  sets  of  timed  states, 
usually  called  timed  regions,  which  are  represented  using  timing  constraints. 
Requiring  a  strict  time  ordering  of  explored  transitions  causes  transitions 
to  be  serialized  even  if  they  are  independent.  As  a  result,  supplementary 
constraints  on  transition  ordering  are  added  to  the  representation  of  a  timed 
region.  Thus,  a  distinct  timed  region  is  generated  for  each  interleaving  of 
transitions,  leading  to  an  explosion  in  the  number  of  generated  regions. 

We  approach  this  problem  by  defining  a  modified  semantics  for  a  timed 
structure,  which  relaxes  some  of  the  time  ordering  constraints  specified  for 
the  traces  in  CS(Q).  Recall  that  in  a  trace  a  =  s0  ^  Si  s-2  ■  ■  ■  Si . . . 


from  CS{Q),  each  subsequent  timed  transition  ,,+Af'+1  has  t,0  satisfy: 

•  a  relative  ordering  condition  on  transition  timings:  tt  <  ti+1 

•  a  bound  on  the  firing  time:  U+i  X  firemax(a,  sf) ,  for  all  a  G  enabled* (si,U) 

We  will  now  give  similar,  but  less  restrictive  conditions  for  our  new  se¬ 
mantics,  and  discuss  them  intuitively  before  giving  a  formal  proof. 

First,  the  relaxed  semantics  must  preserve  time  ordering  due  to  causal- 

•  /—'<  •  ,  .  ,  ^1)®1  ^2  1x1)0* n  1  p 

ity.  Given  an  execution  trace  a  =  so  s i  — »  s 2  . . .  — >  sn  . . .  we  denne 

caused(ai)  to  be  the  set  of  transitions  which  become  enabled  as  a  result  of 
executing  ap  caused{ai)  =  {a  G  T  \  a  $  enabled(si-i)  A  a  G  enabled(si)}. 
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We  say  that  transition  a*  is  causal  to  a.j,  with  i  <  j,  if  a?  G  caused(ai )  and 
dj  G  enabled (sk)  for  i  <  k  <  j.  In  other  words,  a3  is  not  enabled  prior  to 
the  execution  of  a*,  but  becomes  enabled  at  st  and  remains  enabled  until 
executed.  (A  self-loop  transition  which  disables  and  re-enables  another  tran¬ 
sition,  such  as  in  Petri  nets,  is  considered  causal  to  the  affected  transition). 
If  a,  is  causal  to  a,j  we  naturally  require  that  it  occur  earlier:  t%  <  tj.  (1) 

Next,  we  consider  transitions  which  are  independent,  in  the  same  sense 
used  previously  with  partial  order  reduction.  If  transition  (t,  a)  is  enabled  in 

state  s,  and  s  — >  s',  we  denote  the  successor  state  s'  with  succt>a(s). 

Definition  18  Two  timed  transitions  ( t ,  a)  and  (t' ,  a')  are  independent  iff 
for  any  timed  state  s  such  that  (t,a),(t',a')  G  enabled(s)  the  following  re¬ 
lations  hold:  ( t,a )  G  enabled (succt>,a>{s)),  ( t',a ')  G  enabled  (succtA{s))  and 
succt>,a'(succt,a(s))  =  succt,a{succt> t<l' (s)) ■  Two  untimed  transitions  a  and  b 
are  independent  if  the  timed  transitions  ( t ,  a)  and  ft' ,  a')  are  independent  for 
any  t,t!  G  R+,  and  are  dependent  otherwise. 

The  goal  of  our  relaxed  semantics  is  to  ensure  that  each  execution  trace 
is  stuttering  equivalent  to  a  trace  of  the  original  model.  Consider  the  timed 
transitions  ^  and  ,  with  t  <  t'.  It  is  clear  that  the  interleaving  which 

explores  *4  followed  by  4  is  equivalent  with  the  original  one  if  a  and  a'  are 
independent  and  at  least  one  of  the  two  transitions  is  invisible. 

To  characterize  the  opposite  situation,  we  define  conflict  (a)  =  {b  G  T  | 
a  and  b  are  dependent  or  a  and  b  are  visible}.  Thus,  conflict  (a)  is  the  set  of 
all  transitions  that  are  dependent  on  a,  to  which  the  set  of  visible  transitions 
is  added,  if  a  itself  is  visible.  If  a*  and  a.j  in  trace  o  are  in  conflict,  our 
second  requirement  is  that  they  be  explored  in  the  order  of  their  execution 
timepoints:  *  <  j  =>  U  <  tj.  (2) 

The  ordering  conditions  (1)  and  (2)  are  the  less  restrictive  version  of  the 
strict  time  ordering  enforced  on  CS(Q).  We  next  examine  a  counterpart  for 
the  restriction  on  the  next  transition  firing  time. 

For  an  execution  trace  a ,  denote  by  cq  the  prefix  containing  the  first  i 
transitions:  a i  =  s0  *4’  sq  . . .  4’  st.  Denote  by  enabled*  (oi )  the  set  of 
finite  or  infinite  transition  sequences  p  —  Oj+iOj+2  •  •  •  such  that  for  some 
ti+i,ti+ 2,  •  •  •  the  trace  o'  =  s0  ^  Si  •  •  ■  ^  Si  u+1-^+1  si+1  . . .  satisfies  condi¬ 
tions  (1)  and  (2).  Then,  let  firem;iy  (ak,  otp)  be  the  upper  bound  on  the  firing 
time  tk  of  transition  Ok  over  all  such  execution  traces  o'.  We  also  use  the 
shorthand  ak  p  to  denote  that  transition  ak  is  part  of  the  sequence  p. 
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Our  final  condition  requires  a  transition  a,+i  to  fire  before  the  last  en¬ 
abling  time  of  any  conflicting  transition  that  could  occur  on  a  continuation 
of  the  trace  prefix  cq.  That  is,  ti+ 1  -<  firenmx(b.  <jtp)  for  all  b  £  confl,ict(ai+ 1) 
and  b  £  p  £  enabled*  {oj) .  This  ensures  that  condition  (2)  is  feasible:  if  the 
firing  time  of  g,;+i  were  greater  than  the  maximum  firing  time  of  transition 
b  £  conflict (al+i) .  then  b  could  not  be  explored  subsequently  while  observing 
tai+ 1  <  4,  required  by  (2). 

5.3.2  Traces  with  relaxed  timing 

We  are  now  ready  to  define  our  semantics  in  which  not  all  timed  transitions 
have  to  be  executed  in  the  order  of  their  timestamps. 

Definition  19  A  relaxed  timing  semantics  for  a  timed  structure  Q  is  given 
by  a  family  Cr(Q)  of  traces  over  the  state  space  St.  starting  at  an  initial  state 
in  5\° ,  where  each  execution  trace  a  =  sq  6]  t2~->2  s-2  ■  ■  ■ sn. . .  satisfies 
the  following  conditions  for  all  i.j  >  1: 

(1)  ai  causal  to  aj  =>  tj  <  tj 

(2)  cij  £  conflict (a,i)  A  i  <  j  U  <  tj 

(3)  U+ 1  -<  firemax(b,  aip)  for  all  b  £  conflict  (a, +i) .  b  £  p  £  enabled*  {af) 
together  with  the  following  fairness  constraint: 

(F)  a  £  enabled(si)  A  firemax(a,  of)  <  oo  =»  3k  >  i .  (a  ^  enabled(sk)  V  a  =  a^) 

The  first  three  conditions  have  been  discussed  in  turn.  The  fairness  con¬ 
dition  F  prohibits  an  indefinite  postponement  of  a  transition  a  which  has  a 
finite  upper  firing  bound. 

With  this  definition,  we  can  now  prove: 

Theorem  6  The  set  of  relaxed  traces  Cr(Q)  is  a  superset  of  the  set  of  stan¬ 
dard  traces  CS(Q).  Moreover,  each  relaxed  trace  is  stuttering  equivalent  to 
some  standard  trace. 

Proof:  It  is  clear  that  all  traces  of  CS(Q)  are  also  traces  of  Cr(Q).  Indeed, 
in  CS(Q)  a  timed  transition  has  to  be  firable  with  respect  to  all  transitions 
enabled  at  that  state,  and  the  ordering  condition  between  timepoints  holds 
between  all  pairs  of  transitions.  The  fairness  condition  is  ensured  in  CflQ) 
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by  the  non- Zeno  assumption:  time  eventually  exceeds  any  bound,  and  thus  a 
perpetually  enabled  transition  with  a  finite  firing  bound  is  forced  to  execute 
when  this  bound  is  reached. 

Let  us  consider  a  trace  a  £  £r(Q)  and  construct  a  stuttering-equivalent 
trace  o'  £  CS{Q).  We  prove  by  induction  over  k  £  N  that  we  can  successively 
construct  the  execution  traces  a0,  a1, . . . ,  ok  . . .  £  CV(Q)  from  a  by  permuting 
transitions,  such  that  ok  ~st  o,  and  the  first  k  transitions  from  ok  can  be 
executed  in  the  standard  semantics.  Specifically,  ok  starts  with  the  first  k 
transitions  of  o  in  order  of  their  timepoints,  with  ties  broken  in  favor  of  the 
transition  explored  earlier.  For  the  base  case  k  =  0  we  trivially  take  o°  —  o, 
since  the  initial  states  are  the  same  in  both  trace  families. 

For  the  induction  step,  assume  the  property  is  true  for  some  k  >  0.  Let 
(tj,  a.j)  be  the  transition  in  ok  with  the  next  smallest  timepoint  after  the 
transitions  ai,a2,  •  •  •  ,ak  of  ok.  If  j  =  k  +  1,  we  trivially  take  ok+1  =  ok. 
Otherwise,  for  k  <  i  <  j,  condition  (1)  guarantees  that  a*  is  not  causal  for 
cij,  otherwise  U  <  tj  and  we  would  have  chosen  a,-  instead  of  aj.  Likewise, 
condition  (2)  ensures  that  a*  is  not  in  conflict  with  a.j ,  since  otherwise  again 
ti  <  tj.  Consequently,  a*  and  a,j  are  independent  for  k  <  i  <  j  and  thus  a.j  can 
be  successively  commuted  with  a?_i , . .  .,ak+ 1,  resulting  in  a  new  execution 
sequence  ok+1.  Furthermore,  since  aj  and  a*  are  not  in  conflict,  either  aj  is 
invisible,  or  all  at  with  k  <  i  <  j  are.  In  either  case,  ok+i  ~st  ok  ~st  o. 

We  still  have  to  prove  that  ok+1  £  £T(Q).  It  suffices  to  show  that  commut¬ 
ing  adjacent  non-conflicting  transitions  into  time  order  preserves  conditions 
(1)  through  (3).  This  is  clear  for  conditions  (1)  and  (2),  since  the  transitions 
which  are  commuted  now  occur  in  increasing  time  order.  For  condition  (3), 
we  examine  the  case  where  the  fragment  s  s'  of  ok,  with  t\  <  is 

permuted  to  s  s2  s'  in  ok+ 1-  We  need  to  show  condition  (3)  at  states 
s  and  s2,  where  the  explored  transitions  differ  in  ok  and  ok+ 1  (Figure  5.1). 

For  state  s,  consider  a  transition  b  in  conflict  with  a\,  such  that  a  transi¬ 
tion  sequence  pb  can  be  executed  at  s.  Moreover,  choose  p  to  be  minimal,  in 
the  sense  that  each  transition  in  p  is  necessary  to  cause  b.  If  a2  is  independent 
of  all  transitions  in  the  sequence  pb,  this  sequence  remains  enabled  at  si  after 
executing  a2,  and  tY  -<  firemax(b,  sipb),  since  condition  (3)  holds  at  Si  in  ok. 
Otherwise,  a2  is  in  conflict  with  some  transition  c  in  the  sequence  pb,  and 
thus  t2  -<  firemax(c,spb),  by  condition  (3)  at  s  in  ok.  Since  c  and  b  are  con¬ 
nected  by  causality,  we  have  tc  <  tb  and  thus  firemax(c,  spb )  <  firemax(b,  spb). 
Since  t\  <  t-2,  we  obtain  by  chaining  the  inequalities  that  h  -<  firemax(b,  spb). 
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Figure  5.1:  Commuting  non-conflicting  transitions  preserves  condition  (3) 


Thus,  condition  (3)  holds  at  s. 

For  state  s2.  if  the  transition  sequence  pb  (where  b  conflicts  with  a2)  is  exe¬ 
cutable  from  s 2 ,  then  the  sequence  o,\pb  is  executable  from  s.  Applying  condi¬ 
tion  (3)  at  state  s  in  cp-  we  obtain  that  t2  <  firemax(b,  sa\p)  =  firemax(b,  s-2p) , 
which  is  precisely  the  condition  needed  at  state  s2. 

It  remains  to  show  that  tj  is  a  legal  firing  time  in  the  standard  semantics. 
Consider  a  transition  b  enabled  in  s*-,  after  the  first  k  transitions  of  ak+1.  If 
b  has  an  infinite  firing  bound,  we  have  nothing  to  prove.  Otherwise,  if  the 
upper  bound  on  the  firing  time  of  b  is  finite,  the  fairness  condition  F  ensures 
that  b  either  fires  or  is  disabled  at  some  point.  In  the  first  case,  if  4  is  the 
firing  time  of  b,  we  have  tj  <  4,  otherwise,  b  would  have  been  chosen  instead 
of  a,j  in  the  induction  step.  In  the  second  case,  b  must  be  disabled  by  some 
transition  a;,  thus  4  -<  firemax(b ,  s/_ i),  and  again  tj  <  ti  because  of  the  choice 
of  cij .  In  both  cases,  tj  does  not  exceed  the  maximum  firing  time  of  b  and 
thus  satisfies  the  standard  semantics.  □ 

In  the  relaxed  timing  semantics  defined  above,  it  is  possible  to  fire  a 
transition  a,+]  from  a  state  s,  even  though  the  minimum  firing  time  of  aJ+] 
exceeds  the  maximum  firing  time  of  some  other  transition  b  enabled  at  st .  If 
b  does  not  conflict  with  a,+i,  this  does  not  violate  condition  (3).  However, 
al+\  is  not  Arable  from  st  in  the  standard  semantics,  since  b  has  to  be  fired 
first.  This  means  that  the  number  of  untimed  transitions  which  can  be  fired 
from  a  given  state  in  the  relaxed  semantics  can  be  larger  than  the  number  of 
transitions  Arable  in  the  standard  semantics.  Thus,  a  state  search  algorithm 
based  on  timed  regions,  which  makes  one  exploration  step  for  each  untimed 
transition  from  T  enabled  at  a  state,  may  explore  more  transitions  in  the 
relaxed  semantics  than  in  the  standard  semantics. 
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To  ensure  that  the  partial  order  reduction  procedure  does  not  operate  on 
a  larger  state  graph  than  initially,  we  can  restrict  the  enabledness  condition 
in  the  relaxed  semantics.  Namely,  a  transition  ( U+i,ai+\ )  is  Arable  after 
trace  a,  only  if  ai+i  can  be  fired  earlier  than  the  maximum  firing  time  of  all 
enabled  transitions,  i.e.,  3 1'  E  M+  such  that  (T,  a,+ 1)  E  enabled(oi)  and  t'  ~< 
ftrenmx(b,<Ji)  for  all  b  E  enabled(ai).  In  contrast  to  the  standard  semantics, 
this  condition  does  not  restrict  the  maximum  firing  time  of  ai+i,  it  merely 
requires  that  al+\  be  Arable  before  all  other  enabled  transitions.  With  this 
modification,  a  transition  from  T  is  firable  in  the  relaxed  semantics  iff  it  is 
firable  in  the  standard  semantics,  with  no  penalty  in  state  space  increase. 

5.3.3  Enforcing  timing  conditions 

The  family  Cr{Q)  of  traces  with  relaxed  timing  is  characterized  indirectly  by  a 
set  of  conditions.  A  state-space  exploration  needs  an  explicit  definition  of  the 
transitions  that  can  be  explored  at  any  given  state.  Of  the  given  conditions 
(1)  through  (3),  the  third  is  difficult  to  ensure  directly,  since  it  is  restricts 
the  firing  time  with  respect  to  all  possible  future  conflicting  transitions.  To 
obtain  a  condition  which  can  be  enforced  in  practice,  we  draw  on  the  approach 
of  [YS97],  which  in  turn  is  based  on  the  stubborn  set  technique  of  [Val90]. 

Let  b  be  a  transition  which  is  not  enabled  in  the  timed  state  s.  A  set  of 
transitions  is  necessary  for  b  at  s  (denoted  necessary(b,  s ))  if  b  cannot  be  exe¬ 
cuted  on  any  trace  from  s  without  executing  some  transition  in  necessary  (b,  s ) 
first.  That  is,  for  any  sequence  of  transitions  ai,  a^,  •  •  • ,  a/c  starting  at  s  with 
ak  =  b  there  exists  i  <  k  such  that  at  E  necessary  (b,s).  Let  necessary*  (b,  s) 
be  a  set  of  transitions  which  contains  b  and  is  transitively  closed  under  ne¬ 
cessity,  i.e.,  for  any  c  E  necessary*  (b,  s )  disabled  in  s,  there  exists  a  subset  of 
transitions  necessary(c,  s)  C  necessary*  (b,  s')  which  is  necessary  for  c  at  s. 

Let  a  be  a  transition  in  enabled  (s).  A  set  of  transitions  in  enabled  (s) 
is  a  dependency  set  for  transition  a  at  state  s  (denoted  dependency  (a,  s)) 
if  for  any  transition  b  E  conflict  (a)  there  exists  a  set  necessary*  (b,  s),  such 
that  all  its  transitions  that  are  enabled  at  s  belong  to  dependency  (a,  s). 
Thus,  no  transition  in  conflict  with  a  can  be  enabled  starting  from  s  without 
first  executing  a  transition  from  dependency  (a,  s).  For  both  necessary  and 
dependency  sets,  multiple  choices  may  be  possible.  In  the  following,  these 
notations  always  denote  a  specific  choice  of  such  a  set. 

The  computation  of  necessary  sets  depends  on  the  chosen  description 
model.  For  Petri  nets,  one  can  choose  the  input  transitions  of  an  unmarked 
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input  place  of  the  disabled  transition  [YS97].  For  communicating  processes, 
a  necessary  set  for  a  locally  enabled  communication  transition  consists  of  all 
transitions  that  precede  the  corresponding  communication  points  in  other 
processes.  For  a  system  containing  data  variables,  a  a  transition  disabled  by 
a  false  guard  has  as  necessary  set  all  transitions  which  modify  that  guard. 
This  can  be  refined  by  analyzing  the  effects  of  specific  variables  [Val90]. 

Let  us  discuss  the  enforcement  of  condition  (3)  using  these  notions.  We 
know  that  in  order  for  any  transition  b  G  conflict  (a j)  to  fire  in  the  future,  an 
enabled  transition  aj  G  necessary*  (b,  Sj- 1)  (and  thus  in  dependency  (ai,Si- i)) 
must  fire  first.  Assume  that  we  are  requiring  U  <  tj  for  all  j  >  i  such 
that  aj  G  dependency  {at,  i)  (and  aj  is  continually  enabled  in  Sj_ i  through 
Sj — i ) .  Since  a.j  is  necessary  for  b,  a.j  is  the  start  of  a  sequence  of  causal 
transitions  p  leading  to  b ,  and  thus  t,  <  t.j  <  ti ,.  Thus,  t,  -<  firemax(b,  cq_ip). 
Consequently,  conditions  (2)  and  (3)  can  be  replaced  with: 

<  tj  for  i  <  j  and  a3  G  dependency  (a,-,  s,_i) 

This  analysis  can  be  refined  in  two  ways.  First,  one  can  consider  tran¬ 
sition  firing  times  in  the  definition  of  necessary  and  dependency  sets.  A 
transition  b  which  conflicts  with  an  enabled  transition  a  need  not  affect  the 
firing  conditions  of  a  if  b  cannot  fire  before  the  maximal  firing  time  of  a. 

As  a  second  refinement,  the  condition  t,  <  tj  for  aj  G  dependency  (a,;,  s,_i) 
can  be  made  less  restrictive  if  a  relation  between  the  firing  time  of  a  transition 
b  G  conflict^)  and  the  firing  time  of  a  transition  aj  G  necessary(b,  Sj-i)  can 
be  computed.  If  this  relation  is  of  the  form  A  =  /(s,-_i,  t.j),  for  some  function 
/,  then  we  can  require  U  <  f(sj-i,tj )  for  a3  G  dependency (ai,  Si- 1),  which 
replaces  conditions  (2)  and  (3). 

This  second  refinement  can  lead  to  a  reduced  branching  in  the  state  space. 
For  example,  consider  a  system  in  which  transitions  a  and  b  are  enabled  at 
the  current  state,  b  is  in  the  dependency  set  of  a  because  it  can  cause  the 
execution  of  d  G  conflict  (a)  with  td  >  h  +  2,  and  a  is  in  the  dependency  set 
of  b  because  it  can  cause  transition  c  G  conflict,(b )  with  tc>  ta  + 1.  However, 
if  —  1  <  ta  —  4  <  2  we  obtain  h  <  ta  +  1  <  tc  and  ta  <  tb  +  2  <  td,  so 
under  these  conditions  both  a  and  b  can  fire,  without  affecting  each  other. 
With  our  refinement,  the  timed  region  —  l<ta  —  tb<2is  obtained  in  the 
relaxed  timing  semantics  regardless  of  the  exploration  order  between  a  and 
b,  and  can  be  explored  as  a  whole.  With  the  first  definition  of  dependence 
sets,  taken  from  [YS97],  the  interleavings  ta  <  h  and  tb  <  ta  have  to  be 
considered,  and  thus  two  regions,  —  1  <  ta  —  tb  <  0  and  0  <  ta  —  tb  <  2,  are 
obtained  and  further  explored  separately. 
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5.3.4  Exploration  based  on  timed  regions 

We  have  seen  that  an  execution  trace  with  relaxed  timing  has  to  satisfy 
conditions  of  the  form  U  <  tj  or  t*  <  f(tj)  for  i  <  j.  These  inequalities  are 
enforced  either  when  dj  is  caused  by  at  or  when  a3  is  in  the  dependency  set  or 
conflict  set  of  a-,.  To  this  effect,  the  transition  execution  times  t\  have  to  be 
part  of  the  timed  state,  or  have  to  be  temporarily  added  to  the  timed  state 
as  auxiliary  variables,  for  as  long  as  it  is  needed  to  enforce  such  inequalities. 

In  time  Petri  nets  or  TEL  structures,  the  firing  time  of  a  transition  or 
event  appears  explicitly  as  part  of  the  timed  state  and  the  transition  relation: 
a  transition  fires  within  specified  time  bounds  of  the  transition  that  enabled 
it.  In  timed  automata,  the  current  time  appears  as  auxiliary  variable  in  the 
form  of  the  zero  clock.  The  advancing  of  time  after  each  transition  serves  to 
enforce  the  order  among  sequentially  executed  transitions. 

A  practical  state  space  exploration  algorithm  does  not  explore  an  infinite, 
uncountable  number  of  timed  traces,  but  operates  instead  on  sets  of  timed 
states  called  timed  regions.  An  exploration  step  for  a  given  transition  a 
consists  in  computing  the  successor  region  containing  all  timed  states  reached 
by  executing  that  transition  from  the  states  of  the  current  timed  region  r : 

succa(r)  =  {s'  £  St  \  3s  E  r,t  E  Ki+  |  s  -4  s'} 

We  also  write  r  A  r'  if  r'  =  succa(r).  Then,  a  sequence  of  timed  regions 

tq  — >  Vi . . .  r j . . .  accounts  for  all  timed  traces  a  =  so  <A1  si . . .  Sj . . ., 
where  ?o  is  the  region  containing  all  initial  states  -Sq.  Typically,  as  we  have 
seen  for  timed  automata,  time  Petri  nets  and  TEL  structures,  the  description 
of  the  timed  system  contains  a  set  of  time  variables,  and  timed  regions  are 
represented  using  difference  inequalities  on  those  variables. 

To  incorporate  conditions  of  the  form  ti  <  tj  or  ti  <  f(tj )  into  the  region 
successor  operation,  two  basic  possibilities  exist.  A  first  solution  retains  the 
firing  time  tt  of  a  transition  a*  as  part  of  a  timed  state  (and  thus,  timed 
region),  as  long  as  there  are  enabled  transitions  a,j  for  which  a  relative  con¬ 
straint  between  ti  and  tj  may  need  to  be  enforced.  Once  no  such  enabled 
transitions  remain,  ti  is  removed  from  the  representation  of  the  timed  region 
by  existential  quantification. 

A  second  solution  introduces,  upon  firing  a,,  time  variables  for  all  po¬ 
tential  future  transitions  a,j  whose  firing  time  tj  is  related  to  ti.  Then,  ti  is 
quantified  out,  being  no  longer  needed,  and  likewise  the  time  variables  for  the 
transitions  which  become  disabled  as  a  result  of  firing  a,.  Thus,  the  current 
timed  region  contains  a  time  variable  for  each  enabled  transition.  This  is  the 
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solution  adopted  in  [YS97,  BM98]. 

The  relative  tradeoffs  of  the  two  approaches  depend  on  the  analyzed 
model.  If  the  branching  factor  at  each  state  is  high,  tracking  all  enabled 
transitions  may  lead  to  a  large  number  of  unneeded  time  variables,  since  not 
all  enabled  transitions  are  executed.  If  only  past  transition  times  are  main¬ 
tained.  no  unnecessary  variables  are  introduced.  However,  the  time  of  a  past 
transition  may  have  to  be  retained  long  after  its  exploration,  as  long  as  there 
are  unexplored  transitions  that  need  to  be  related  to  it. 


5.4  Partial  Order  Reduction 

The  exploration  step  succ  for  exploring  a  transition  defines  a.  state-transition 
graph  ( region  automaton )  7 Z(Q)  whose  states  are  timed  regions.  We  restrict 
ourselves  to  the  case  when  the  number  of  timed  regions  is  finite.  The  particu¬ 
lar  models  analyzed  so  far  (timed  automata,  time  Petri  nets,  TEL  structures) 
admit  a  finite  quotient,  since  their  timing  is  described  by  elementary  differ¬ 
ence  constraints  with  integer  constants. 

Partial  order  reduction  can  be  applied  to  the  region  automaton  by  find¬ 
ing  an  ample  set  of  transitions  which  is  sufficient  for  exploration  at  each 
state.  We  construct  the  ample  sets  based  on  the  dependency  sets  discussed 
in  Section  5.3.  This  notion  can  be  naturally  extended  to  regions,  by  defining 
b  €E  dependency  (a,  r)  iff  3s  €  r  .  b  €  dependency  (a,  s).  For  CO,  C2  and  C3, 
we  use  the  standard  formulation  of  the  ample  set  conditions.  For  Cl,  we 
require  of  any  region  r  G  R  that: 

Cl’  a  6  ample{r)  =>  dependency  (a,  r)  C  ample(r ) 

In  other  words,  the  ample  set  of  a  region  is  closed  with  respect  to  the 
dependency  relation.  Thus,  an  ample  set  can  be  computed  by  choosing  an 
enabled  transition  and  successively  adding  any  transitions  in  the  dependency 
set  of  an  ample  transition  to  the  ample  set,  until  a  fixpoint  is  reached. 

We  can  easily  show  that  condition  Cl’  subsumes  the  faithful  decomposi¬ 
tion  condition  Cl  required  for  ample  sets. 

Proposition  10  If  for  every  timed  region  r.  the  ample  set  ample(r)  satisfies 
condition  Cl’,  then  no  transition  which  is  dependent  on  a  transition  from 
arnple(r)  can  be  executed  before  a  transition  from  ample(r). 

Proof:  The  result  is  a  consequence  of  the  correspondence  between  the  re¬ 
gion  automaton  and  the  underlying  infinite  family  of  timed  traces  Cr(Q). 
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A  transition  b  dependent  on  a  E  ample(r)  can  be  executed  in  TZ(Q)  only 
if  a  corresponding  timed  transition  (A.  b)  can  be  executed  in  CV(Q).  How¬ 
ever,  by  the  definition  of  dependency  sets,  some  enabled  transition  from 
necessary*  (6,  r)  has  to  be  executed  before  b,  and  this  transition  belongs  to 
dependency  (a,  r)  C  ample(r).  This  completes  the  proof.  □ 


5.5  Discussion 

Of  the  existing  approaches  to  partial  order  reduction  for  timed  systems,  our 
formalism  draws  most  from  the  work  of  Yoneda  and  Schlingloff  [YS97]  on 
time  Petri  nets.  We  present  the  main  differences  of  our  approach  below. 

First,  the  formalism  presented  here  is  significantly  more  general.  The 
notion  of  timed  state  is  generic,  and  the  timed  transition  relation  between 
two  states  can  be  more  complex  than  a  time  separation  with  lower  and  upper 
bounds,  as  in  time  Petri  nets.  In  fact,  the  only  conceptual  restriction  for  our 
model  of  timed  structures  is  that  the  resulting  region  automaton  be  finite. 
This  is  true  if  the  timed  transition  relation  is  based  on  atomic  difference 
constraints  between  time  variables,  such  as  in  timed  automata.  However, 
the  generality  does  not  introduce  unnecessary  complexity.  In  fact,  for  time 
Petri  nets  our  approach  results  in  an  algorithm  similar  to  that  of  [YS97], 
with  potential  improvements  discussed  below. 

Another  difference  consists  in  the  approach  taken  to  design  and  prove 
the  algorithm.  In  [YS97],  a  region-based  state  space  exploration  algorithm 
without  partial  order  reduction  is  given  first.  Then,  the  time  ordering  of 
transitions  in  the  region-based  model  is  relaxed,  as  a  prerequisite  to  partial 
order  reduction.  As  a  consequence,  the  proof  is  quite  complex,  because  the 
state  space  obtained  using  partial  orders  is  not  a  subset  of  the  original  state 
space.  Furthermore,  the  proof  makes  extensive  reference  to  the  particular 
representations  of  transition  constraints  and  timed  regions. 

Our  approach  has  been  to  relax  time  ordering  on  the  family  of  timed  traces 
underlying  the  system  model.  As  a  result,  ensuring  stuttering  equivalence  by 
enforcing  constraints  on  transitions  from  a  dependency  set  leads  naturally  to 
the  selection  of  a  reduced  set  of  transitions  for  exploration.  Consequently, 
the  main  burden  of  the  proof  falls  onto  proving  stuttering  equivalence  for 
timed  traces.  The  application  of  partial  order  reduction  to  the  resulting 
region-based  model  is  straightforward. 

The  algorithm  of  [YS97]  requires  an  ample  transition  to  fire  before  all 
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other  transitions  from  the  ample  set.  The  algorithm  given  here  is  less  re¬ 
strictive,  and  requires  only  the  firing  before  all  enabled  transitions  in  the 
dependency  set,  which  is  a  subset  of  the  ample  set.  Since  an  ample  transi¬ 
tion  is  independent  from  the  transitions  in  the  difference  of  these  two  sets, 
fewer  timed  regions  can  be  generated  if  a  time  ordering  between  these  transi¬ 
tions  does  not  need  to  be  enforced.  Furthermore,  if  the  firing  time  of  a  future 
conflicting  transition  can  be  determined  from  the  firing  time  of  a  currently 
enabled  transition,  the  branching  in  the  state  space  can  be  further  reduced, 
as  shown  in  the  end  of  section  5.3.3. 

The  correspondence  to  timed  event/level  structures  is  direct  and  quite 
similar  to  time  Petri  nets.  Time  variables  in  this  case  are  the  firing  times 
of  events.  Causality  conditions  are  expressed  directly  as  part  of  the  rules, 
and  the  analysis  of  dependency  relations  is  done  in  the  same  way  as  for  time 
Petri  nets.  Similarly,  an  event  time  is  retained  as  a  part  of  the  timed  state 
as  long  as  events  caused  by  it  can  still  be  enabled;  it  can  be  quantified  out 
subsequently. 

In  comparison  to  our  local-time  approach  for  timed  automata,  the  main 
difference  lies  in  the  firing  semantics  of  transitions.  Using  the  terminology 
of  [BST99],  which  defines  three  types  of  urgency  for  transitions,  in  our  model 
of  timed  structures  transitions  are  delayable.  They  are  required  to  fire  before 
their  enabling  interval  expires;  within  this  interval  they  can  fire  at  any  given 
time.  In  timed  automata  transitions  that  are  not  constrained  by  a  state 
invariant  are  lazy:  it  is  possible  for  them  not  to  fire  even  if  enabled  throughout 
their  firing  interval.  Transitions  on  which  the  state  invariant  imposes  an 
upper  firing  bound  are  delayable  just  like  in  timed  structures.  (A  third  type, 
eager  or  urgent  transitions  which  execute  immediately  when  enabled  can  be 
handled  by  performing  a  special  check  for  such  transitions  at  any  state). 

Lazy  transitions  can  be  incorporated  in  our  framework  without  significant 
changes.  We  have  chosen  to  discuss  delayable  transitions  only  in  order  not 
to  complicate  the  presentation.  The  only  change  refers  to  the  requirement 
that  a  transition  execute  at  a  prior  time  compared  to  all  transitions  in  its 
dependency  set.  This  ensures  that  if  a  transition  from  the  dependency  set 
is  actually  executed,  the  resulting  trace  sequence  is  still  consistent  with  the 
standard  semantics,  without  conflicting  with  previously  explored  transitions. 
However,  since  lazy  transitions  are  not  forced  to  execute,  they  are  not  subject 
to  this  condition.  Thus,  a  transition  only  needs  to  fire  before  all  delayable 
transitions  from  its  dependency  set. 

For  timed  automata,  causality  is  modeled  by  advancing  the  local  time  in 
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each  automaton  after  a  transition.  Thus,  the  new  local  time  represents  a 
possible  legal  firing  time  for  a  new  transition,  and  its  advancement  ensures 
that  the  new  transition  takes  place  at  a  later  time  than  the  previous  transition 
in  the  same  automaton.  At  the  same  time,  our  general  approach  points 
out  an  alternative  representation  of  local  time.  Instead  of  maintaining  one 
reference  time  for  each  automaton  (representing  a  potential  time  for  a  future 
transition),  it  is  possible  to  maintain  the  time  of  the  last  transition  in  each 
automaton  instead.  With  this  approach,  the  number  of  auxiliary  variables 
needed  to  represent  a  timed  zone  can  be  less  than  the  number  of  automata  at 
some  states,  because  several  automata  can  share  a  synchronization  transition 
as  last  executed  transition. 

Concluding,  we  see  as  the  main  benefit  of  our  general  approach  the  fact 
that  it  identifies  the  conditions  and  the  potential  for  partial  order  reduction  at 
the  elementary  level  of  timed  traces,  to  which  a  large  variety  of  timed  models 
can  be  reduced.  The  fundamental  idea  is  to  distinguish  between  transition 
causality  and  serialization  due  to  timing,  and  to  define  a  semantics  which 
eliminates  unnecessary  serialization  and  branching  in  the  state  space.  The 
reduction  procedure  itself  is  given  in  terms  of  several  generic  notions,  such 
as  the  enforcement  of  transition  ordering,  the  computation  of  dependency 
sets  and  the  representation  of  timed  regions.  To  obtain  a  practical  model 
checking  algorithm,  the  characteristics  of  the  given  time  model  can  be  taken 
into  account  to  particularize  this  method  into  an  efficient  implementation. 
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Chapter  6 

Experimental  Results 


6.1  Implementation 

We  have  evaluated  the  performance  gains  that  can  be  obtained  by  partial 
order  reduction  for  systems  modeled  as  networks  of  timed  automata.  We  have 
concentrated  on  this  particular  model  both  since  it  is  the  most  complex  and 
expressive  among  those  studied,  and  because  no  practical  results  concerning 
partial  order  reduction  for  timed  automata  have  been  reported  so  far. 

In  order  to  isolate  the  effects  of  partial  order  reduction,  we  have  imple¬ 
mented  both  a  standard  state  space  exploration  algorithm  using  timed  zones 
and  an  algorithm  that  uses  the  local-time  model  described  in  Chapter  3.  In 
both  cases,  we  represent  clock  constraints  using  difference  bound  matrices, 
implemented  simply  as  two-dimensional  arrays. 

To  facilitate  the  comparison  with  other  tools  and  the  analysis  of  bench¬ 
marks  commonly  used  in  the  literature,  the  tool  that  we  have  implemented 
operates  on  timed  automata  models  which  are  described  in  the  input  lan¬ 
guage  of  the  Uppaal  verifier  [LPW95].  The  model  adopted  by  Uppaal 
extends  the  definition  of  networks  of  timed  automata  (as  presented  in  Chap¬ 
ter  3)  by  allowing  the  system  to  be  augmented  with  integer  variables.  These 
can  occur  in  transition  guards  and  can  be  assigned  as  a  result  of  a  transition. 
This  extension  is  useful  in  a  large  number  of  practical  cases,  and  allows  a 
natural  modeling  of  more  complex  timed  systems.  It  also  introduces  addi¬ 
tional  dependencies  between  the  components  and  transitions  of  the  system. 
We  show  in  the  following  how  to  extend  our  results  concerning  partial  order 
reduction  to  handle  shared  variables  in  the  model. 
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If  a  variable  is  shared  by  several  components  of  the  system,  the  usual 
cases  of  read-write  and  write-write  dependencies  appear.  To  maintain  the 
correct  semantics,  we  have  to  ensure  that  write  accesses  to  the  variable  are 
serialized  with  respect  to  both  reads  and  other  writes  in  the  order  of  their 
occurrence  in  time.  That  is,  if  transitions  a,  and  a-j  in  a  timed  execution 
trace  (tu  ax),  ( t2 ,  a2), . . . ,  (tn,  a„), ...  are  in  conflict  with  respect  to  variable 
v,  then  i  <  j  if  and  only  if  U  <  tj. 

One  option  for  ensuring  this  property  is  to  introduce  an  auxiliary  time 
variable  tv  for  each  global  variable  v  in  the  model.  This  variable  would  be  set 
by  each  transition  that  accesses  (reads  or  writes)  v  to  the  execution  timepoint 
of  that  transition.  All  such  transitions  would  then  become  dependent  and 
would  be  serialized  by  ensuring  that  tv  grows  monotonically.  However,  this 
approach  quickly  becomes  expensive  if  the  model  contains  many  variables. 
Moreover,  it  unnecessarily  serializes  all  transitions  that  read  the  variable, 
even  though  they  have  the  same  effect  regardless  of  their  relative  order. 

Instead,  we  have  chosen  the  following  approach.  For  each  variable,  the 
two  sets  of  processes  that  can  read  and,  respectively,  write  that  variable  are 
statically  determined  at  the  time  of  building  the  model.  If  the  variable  is 
local  to  a  single  process,  nothing  need  be  done.  Otherwise,  if  a  transition 
that  accesses  variable  v  is  added  to  an  ample  set,  all  enabled  transitions  in 
the  other  automata  that  access  v  need  to  be  selected  as  well.  Moreover, 
when  selecting  such  a  transition  for  exploration,  its  execution  timepoint  is 
serialized  with  respect  to  the  processes  that  potentially  contain  a  transition 
which  conflicts  with  respect  to  v. 

Thus,  if  we  use  local  reference  times  for  each  process,  as  in  the  local 
time  model  of  Chapter  3,  then  a  transition  a  which  reads  v  will  be  restricted 
with  the  conjunct  f\i&write[v)  U  >  ta,  and  a  transition  b  which  writes  v  is 
restricted  by  /\i&read{v)UwHte(v)  U  >  b>,  where  read(y)  and  write(v)  are  the  sets 
of  process  indices  which  read  and  write  v,  respectively.  This  ensures  that  in 
the  other  relevant  processes,  the  reference  time  has  already  advanced  past 
the  execution  point  of  the  considered  transition,  and  thus  any  conflicting 
transitions  explored  subsequently  are  serialized  in  the  correct  order.  If  we 
use  instead  variables  denoting  the  last  transition  in  a  given  process,  as  in 
Chapter  5,  then  for  a  read  transition  a  we  require  /\iewrite^ta  >  bast, ,  and 
for  a  write  transition  b  we  require  /\ieread(v)uwrite(v)tb  >  bast,  ■  Here,  the 
inequalities  ensure  that  the  transition  occurs  at  a  timepoint  which  is  later 
than  that  of  the  last  executed  transition  in  any  potentially  conflicting  process. 
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6.2  Parameterized  Benchmarks 


Our  first,  comparison  is  made  on  a  set  of  benchmarks  which  has  been  used 
in  [BMPY97]  to  compare  continuous-time  techniques  based  on  difference 
bound  matrices  with  discrete-time  techniques  based  on  numerical  decision 
diagrams  (NDDs).  The  same  examples  are  used  in  [BA'198]  to  compare  the 
efficiency  of  the  POSET  method  for  TEL  structures.  These  benchmarks 
highlight  specific  extreme-case  scenarios  which  appear  in  the  exploration  of 
timed  systems. 

Benchmark  A  (Figure  6.1)  consists  of  a  series  of  N  independent  timed 
automata,  .4,  each  with  a  single  state  and  one  clock  C, .  Each  of  the  n  states 
has  an  invariant  C,  <  v,j  and  a  self-loop  transition  with  a  lower  bound  Ci  >  U 
which  also  resets  C,.  Thus,  the  global  system  has  a  unique  control  state,  but 
the  set  of  possible  time  configurations  becomes  more  and  more  complex  as  the 
system  evolves,  eventually  covering  the  entire  possible  space  of  clock  values. 
In  [BMPY97]  it  is  shown  that  standard  DBM  techniques  cannot  handle  more 
than  5  of  these  automata  composed  together.  Our  results,  shown  in  Table  6.1 
are  consistent  with  those  obtained  in  [BM98]  using  POSETs.  It  can  be  seen 
that  with  the  local  time  model,  only  relatively  few  timed  states  need  to  be 
generated  before  the  entire  state  space  is  finally  covered.  Since  the  example 
contains  only  one  control  state,  partial  order  reduction  is  not  applicable,  and 
the  improvements  are  due  entirely  to  the  local  time  model. 

>  f]  »  ^1  1 —  0  Xo  A  I2,  X2  0  >  1  X ,,  I —  0 


Ax  A2  4, 


Figure  6.1:  Benchmark  A 

To  preserve  consistency  with  the  results  of  [BMPY97],  in  this  example,  as 
well  as  in  the  remainder  of  the  benchmarks  in  this  section,  the  time  constants 
in  the  model  have  been  generated  randomly  from  the  interval  [0..7]. 

A  second  benchmark  B  (Figure  6.2)  consists  of  N  two-state  automata, 
between  which  the  automaton  switches  in  a  time  interval  iq).  Such  an 
automaton  represents  a  boolean  signal  for  which  two  successive  changes  in 
value  are  constrained  by  a  lower  and  an  upper  time  bound.  A11  array  of  such 
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N 

16 

32 

48 

64 

80 

96 

112 

128 

states 

72 

158 

229 

226 

298 

382 

439 

469 

time  (s) 

0 

1.4 

7.2 

15.7 

40 

84.8 

154 

252 

Table  6.1:  Exploration  of  example  A  using  a  local-time  model 


automata  would  be  necessary  to  model  the  behavior  of  a  circuit  under  all 
possible  inputs.  Again,  the  results  for  reachability  analysis  are  similar  to 
those  obtained  with  the  POSET  method,  and  significantly  better  than  the 
standard  exploration,  which  cannot  handle  more  than  4  stages.  This  model 
is  significantly  more  complex  than  the  previous  one,  and  the  number  of  timed 
states  increases  much  faster  (the  number  of  control  states  is  2A  ). 


Figure  6.2:  Benchmark  B 

Due  to  the  independence  of  its  transitions,  this  model  is  the  ideal  candi¬ 
date  for  partial  order  reduction.  Table  6.2  presents  the  comparative  results 
for  state  space  search  with  and  without  reduction  (using  the  local  time  model 
in  both  cases).  The  reduction  results  are  given  for  the  best  case  with  no  visi¬ 
ble  transitions  (this  is  the  case  if  B  is  part  of  a  model  being  verified  either  for 
deadlock  detection  or  with  respect  to  other  visible  properties).  With  partial 
order  reduction,  the  number  of  states  increases  linearly  rather  than  expo¬ 
nentially:  80  automata  are  analyzed  in  less  time  and  a  fraction  of  the  space 
compared  to  13  automata  without  reduction. 

The  final  example  of  this  section  is  an  asynchronous  circuit  consisting 
of  N  XOR  gates  with  delays,  connected  in  a  ring,  in  which  gate  i  outputs 
Xi  after  some  bounded  delay,  and  has  as  inputs  the  (delayed)  values  of  Xi 
and  x^ i-  Each  gate  can  be  represented  by  a  4-state  timed  automaton,  with 
states  encoding  the  actual  and  hidden  value  of  the  output  signal,  and  a  clock 
that  models  the  delay  [MP95]. 
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N 

8 

9 

10 

11 

12 

13 

states 

1214 

3463 

9623 

18634 

36320 

71442 

time  (s) 

0 

0.5 

2 

4.85 

11.7 

27.7 

N 

8 

16 

32 

48 

64 

80 

states  (red.) 

75 

262 

653 

1312 

1394 

2844 

time  (s) 

0 

0 

0.5 

3 

6.8 

20.8 

Table  6.2:  Exploration  of  example  B  using  a  local-time  model 


The  system  is  strongly  coupled:  each  change  in  one  of  the  signals  poten¬ 
tially  cascades  to  cause  changes  in  all  gates  in  the  ring,  and  the  feedback 
loops  create  a  high  complexity  of  the  resulting  state  space.  We  present  the 
results  of  computing  all  timed  states  that  are  reachable  from  the  initial  unsta¬ 
ble  state  in  which  all  signals  have  the  value  1.  Several  variations  of  the  state 
space  search  have  been  employed.  In  Table  6.3,  sync  denotes  a  local-time 
exploration  in  which  only  synchronizable  states  are  explored  (cf.  Chapter 
3).  Lines  marked  with  act  denote  results  obtained  using  the  clock  activity 
reduction  of  [DY96],  eliminating  clocks  which  are  no  longer  used  before  they 
are  reset.  For  a  gate  modeled  as  a  timed  automaton,  this  reduction  occurs  at 
the  stable  states,  from  which  the  clock  is  reset  when  switching  to  an  excited 
state  that  subsequently  causes  a  change  in  output. 

The  results  show  that,  even  though  the  number  of  timed  states  is  expo¬ 
nential  in  the  number  of  gates  for  both  standard  and  local-time  exploration, 
the  performance  using  the  local-time  model  degrades  more  gracefully,  with 
a  factor  of  more  than  20  in  running  time  for  6  gates  distinguishing  the  two. 
Moreover,  it  is  of  significant  advantage  to  restrict  the  exploration  to  synchro¬ 
nizable  states.  Not  surprisingly,  clock  activity  reduction  improves  efficiency 
for  the  local-time  model  as  well,  and  individually  it  performs  even  better 
than  the  restriction  to  synchronizable  states. 

6.3  Case  Studies  of  Timed  Systems 

We  have  evaluated  the  behavior  of  our  local-time  state  space  exploration 
algorithm  in  practice  by  analyzing  several  models  of  timed  systems  that  have 
been  presented  as  case  studies  in  the  literature.  All  of  the  systems  presented 
here  have  been  previously  modeled  and  analyzed  using  the  Uppaal  verifier. 

The  first  model  is  a  description  of  the  Philips  audio  control  protocol,  de- 
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4  gates 

5  gates 

6  gates 

Method 

time 

states 

time 

states 

time 

states 

standard 

0 

1104 

0.9s 

10992 

795s 

469706 

local 

0 

1384 

2s 

12778 

>10min 

>400k 

local  +  sync 

0 

1047 

0.7s 

6901 

38s 

95087 

local  +  act 

0 

444 

Is 

5285 

29s 

52190 

local  +  act  +  sync 

0 

444 

Is 

5133 

27s 

49482 

Table  6.3:  Exploration  of  a  ring  of  XOR  gates 


veloped  in  order  to  exchange  control  information  using  Manchester  encoding 
between  audio  equipment  components.  The  protocol  is  modeled  using  four 
timed  automata,  communicating  via  12  channels  and  using  four  integer  vari¬ 
ables  and  two  clocks.  The  input  automaton  generates  valid  bit  sequences 
for  the  sender  automaton,  which  encodes  them,  determining  the  necessary 
delays  for  the  encoding  voltage  signal.  The  receiver  automaton  decodes  the 
bit  stream  from  the  sender  by  measuring  the  delay  between  two  subsequent 
signals.  Finally  the  output  acknowledgement  automaton  checks  the  bits  de¬ 
coded  by  the  receiver.  In  this  model,  the  components  are  quite  strongly 
synchronized.  After  taking  variable  dependencies  into  account,  there  is  one 
single  state  which  has  a  local  transition  that  can  form  an  ample  set  by  itself. 
As  a  consequence,  the  same  results  are  obtained  using  the  standard  and  local 
model,  with  or  without  partial  order  reduction. 


States 

standard 

loc  +  svn 

loc  +  syn  +  po 

control 

145 

145 

145 

timed 

151 

151 

151 

Table  6.4:  Philips  Audio  Control  Protocol  (without  bus  collision) 

The  box  sorter  is  a  simpler  example  describing  a  system,  consisting  of  four 
timed  automata,  representing  a  controller,  the  behavior  of  a  box  travelling 
through  the  system,  as  well  as  a  piston  and  an  observer  that  interact  with 
the  box. 

In  this  example,  the  network  of  automata  is  also  quite  strongly  coupled, 
with  a  high  density  of  synchronization  transitions,  and  few  possible  inter¬ 
leavings,  as  can  be  observed  directly  from  the  description,  or  simulating  the 
systems  using  Uppaal.  Partial  order  reduction  together  with  the  local  time 
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States 

standard 

local 

loc  +  po 

loc  +  syn 

loc  +  syn  +  po 

control 

61 

89 

66 

61 

56 

timed 

558 

277 

233 

226 

216 

Table  6.5:  Box  Sorter 


model  result  in  a  reduction  of  the  state  space  with  a  factor  of  about.  2.5, 
with  the  local-time  model  accounting  for  the  greater  part.  Using  the  unre¬ 
stricted  local-time  model,  without  regard  for  synchronizable  states,  leads  to  a 
somewhat  higher  number  of  control  states  (some  of  which  are  not  reachable 
in  the  standard  semantics).  At  the  same  time,  the  total  number  of  timed 
states  decreases.  Restricting  the  model  to  synchronizable  states  is  beneficial, 
a  characteristic  which  we  have  observed  for  all  our  examples. 

The  next  example  is  a  model  of  a  manufacturing  plant.  It  represents  the 
timing  and  synchronization  mechanism  of  two  robots  that  transport  boxes 
between  a  service  station  and  a  belt,  in  either  direction.  Analyzed  with  the 
standard  reachability  algorithm,  the  system  turns  out  to  be  quite  complex, 
resulting  in  more  than  80,000  timed  states,  even  with  just  five  processes 
and  five  clocks.  The  reason  for  this  large  state  space  resides  in  the  time 
constants  that  appear  in  the  model:  several  guards  with  large  integer  bounds 
(>  100)  result  in  a  significant  number  of  possible  time  assignments.  The 
local-time  model  is  especially  efficient  here,  resulting  in  a  66-fold  reduction 
in  the  number  of  timed  states,  with  a  small  additional  gain  for  partial  order 
reduction. 

An  implementation  variant  of  the  search  algorithm  concerns  testing  for 
inclusion  between  timed  zones.  The  results  presented  so  far  test  only  whether 
the  newly  reached  zone  is  included  in  one  which  has  been  already  explored. 
Conversely,  replacing  a  previously  explored  zone  can  be  replaced  if  it  is  in¬ 
cluded  in  the  current  one,  after  which  the  search  is  continued  as  usual.  This 
solution  may  save  space,  potentially  at  the  expense  of  time  in  additional 
checks.  For  this  example,  the  space  savings  due  to  reduction  are  increased, 
while  using  comparable  time. 

Finally,  we  have  run  our  tool  on  a  model  of  the  bounded  retransmission 
protocol,  a  version  of  the  alternating  bit  protocol  over  a  lossy  communications 
channel,  with  a  bounded  number  of  retransmissions  of  any  given  packet.  The 
protocol  is  described  using  a  total  of  seven  processes,  which  model  a  sender 
and  a  receiver  (each  with  its  own  channels),  two  lossy  communication  lines, 
and  an  abstraction  of  the  transmitted  file.  The  model  contains  5  clocks,  10 
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Search 

States 

standard 

loc  +  syn 

loc  +  syn  -|-  po 

no  inclusion 

control 

211 

211 

175 

timed 

70338 

1065 

895 

with  inclusion 

control 

211 

211 

173 

timed 

63119 

926 

597 

Table  6.6:  Manufacturing  Plant  Model 


integer  variables  and  more  than  a  dozen  communication  channels.  Runs  have 
been  made  with  two  different  sets  of  model  constants,  both  with  and  without 
the  double  inclusion  test.  Partial  order  reduction  achieves  gains  of  up  to  1/3 
even  though  just  two  states  have  ample  sets  with  one  local  transition. 


Variant 

States 

standard 

loc  +  syn 

loc  +  syn  +  po 

Cl 

no  inch 

control 

2477 

2513 

2038 

timed 

25986 

22929 

17287 

Cl 

with  inch 

control 

2477 

2508 

2036 

timed 

18612 

15581 

12315 

C2 

no  inch 

control 

6577 

6590 

5982 

timed 

120738 

122008 

112789 

C2 

with  inch 

control 

6552 

6574 

5966 

timed 

70897 

65469 

60830 

Table  6.7:  Bounded  Retransmission  Protocol 


In  summary,  our  results  for  these  models,  whose  characteristics  are  repre¬ 
sentative  of  typical  systems  targeted  for  verification,  show  that  the  local-time 
model,  when  restricted  to  synchronizable  states,  always  leads  to  a  clear  im¬ 
provement  in  the  size  of  the  reachable  state  space.  In  addition,  further  savings 
can  be  obtained  by  selecting  a  reduced  set  of  transitions  for  exploration  and 
applying  partial  order  reduction  techniques  from  the  untimed  domain.  As 
expected,  the  gains  obtained  during  the  latter  step  are  highly  dependent  on 
the  structure  of  the  model:  small  improvements  (10%  -  20%)  are  obtained 
for  models  which  are  tightly  synchronized  and  have  few  internal  transitions, 
but  the  gains  can  be  orders  of  magnitude  if  there  are  a  significant  number  of 
mutually  independent  transitions. 
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Chapter  7 
Conclusions 


In  this  dissertation  we  have  presented  solutions  for  the  application  of  partial 
order  methods  to  the  verification  of  timed  systems.  We  have  given  a  partial 
order  reduction  algorithm  for  networks  of  timed  automata  which  preserves 
formulas  in  a  timed  extension  of  linear  temporal  logic.  The  algorithm  is 
based  on  a  modified  local-time  semantics,  which  allows  individual  automata 
to  execute  independently  except  for  synchronization  transitions.  Timed  au¬ 
tomata  constitute  the  most  expressive  timing  formalism  for  which  partial 
order  reduction  has  been  investigated  so  far. 

More  generally,  we  have  investigated  the  issues  that  underlie  the  appli¬ 
cation  of  partial  order  reduction  in  a  continuous-time  model.  For  a  general 
model  whose  semantics  is  defined  in  terms  of  timed  traces,  we  show'  how 
to  separate  causal  dependence  of  transitions  from  time  ordering  due  to  con¬ 
currency  and  how  to  obtain  general  conditions  for  the  application  of  partial 
order  reduction.  As  particular  instances  of  this  framework  we  obtain  im¬ 
proved  algorithms  for  timed  event/level  structures  and  time  Petri  nets,  as 
well  as  the  algorithm  for  timed  automata  based  on  the  local-time  model. 

We  have  evaluated  the  performance  of  our  partial  order  reduction  ap¬ 
proach  by  building  a  tool  which  implements  the  reduction  algorithm  for  net¬ 
works  of  timed  automata  and  analyzing  several  examples.  The  resulting  re¬ 
duction  in  state  space  stems  from  two  sources:  the  local-time  model  reduces 
the  number  of  generated  time  regions,  while  the  partial  order  techniques  ap¬ 
plied  from  the  domain  of  untimed  systems  reduce  the  explored  control  state 
space. 


Ill 


Future  Work 


The  research  issue  that  seems  most  immediately  appealing  is  the  combina¬ 
tion  of  partial  order  reduction  and  symbolic  model  checking  in  the  context 
of  timed  systems.  Symbolic  approaches  for  the  representation  of  the  large 
number  of  time  zones  resulting  from  state  space  exploration  have  long  been 
an  issue  of  special  interest  in  real-time  verification.  However,  due  to  the  dif¬ 
ferent  nature  of  the  operations  performed  on  control  states  and  time  regions, 
symbolic  representations  that  are  applicable  to  both  components  have  been 
difficult  to  find. 

Recently,  two  data  structures  inspired  by  BDDs,  clock  difference  dia¬ 
grams  [BLP+99]  and  difference  decision  diagrams  [MLAH99]  have  been  pro¬ 
posed.  The  latter  data  structure  provides  a  unified  framework  for  handling 
control  and  timing  information,  and  algorithms  to  perform  conjunction,  sub¬ 
stitution  and  existential  quantification,  the  elementary  operations  of  the  state 
space  exploration  algorithm  for  timed  automata.  Moreover,  first  reported  re¬ 
sults,  although  so  far  only  for  systems  with  a  very  regular  structure,  have 
shown  that  fully  symbolic  model  checking  can  significantly  outperform  the 
traditional  algorithms  for  timed  automata. 

The  state-space  exploration  algorithm  based  on  the  local-time  model  can 
be  implemented  without  difficulty  using  DDDs,  since  it  is  based  on  the  same 
basic  operations  as  the  standard  zone-based  exploration.  Also,  it  is  in  this 
context  that  static  partial  order  reduction  can  be  used  to  its  best  advantage, 
given  its  independence  of  the  underlying  exploration  algorithm.  Instead  of 
encoding  the  exploration  of  all  outgoing  transitions  from  a  given  state,  the 
symbolic  representation  of  the  transitions  relation  will  merely  contain  those 
transitions  which  have  been  selected  for  execution  by  the  reduction  algorithm. 

It  is  well  known  that  the  size  of  a  symbolic  representation  does  not  bear 
a  direct  relation  to  the  number  of  states  represented.  Therefore,  the  combi¬ 
nation  of  partial  order  reduction  and  symbolic  model  checking  is  not  auto¬ 
matically  a  more  efficient  technique.  However,  the  main  goal  of  a  symbolic 
representation  is  to  efficiently  store  and  process  a  set  of  individual  states, 
whereas  the  local-time  model  already  coalesces  individual  time  regions  into 
coarser  ones.  Thus,  it  can  be  expected  that  the  local  time  model  would 
already  carry  out  in  part  the  task  of  the  symbolic  algorithm,  and  further¬ 
more  that  the  selection  of  a  reduced  number  of  transitions  may  decrease  the 
complexity  of  a  symbolic  exploration  step. 

A  second  direction  of  research  concerns  the  applicability  of  partial  order 
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reduction  to  more  expressive  models.  The  present  framework  for  the  use  of 
partial  order  reduction  for  timed  systems  depends  essentially  on  the  fact  that 
time  advances  at  the  same  rate  in  all  components  of  the  model.  A  next  step 
would  be  to  investigate  this  technique  for  systems  with  multi-rate  clocks  and 
more  generally  for  hybrid  systems,  which  combine  continuous  and  discrete 
evolution. 

Yet  another  question  concerns  the  applicability  of  partial  order  reduction 
jointly  with  other  state  space  reduction  techniques.  In  particular,  we  have 
seen  partial  order  reduction  applied  to  two  different  quotient  models:  the 
zone  automaton  and  the  region  graph  automaton.  But  other  models  that 
can  be  used  for  efficient  verification  exist,  in  particular  the  quotient  with 
respect  to  a  time-abstracting  bisimulation,  which  can  be  much  smaller.  An 
interesting  question  is  whether  partial  order  reduction  can  be  applied  to¬ 
gether  with  this  minimization,  and  in  particular  with  on- the- fly  techniques. 

Ultimately,  the  goal  of  this,  as  of  any  other  verification  technique,  is 
the  successful  application  to  practical  designs.  Even  though  many  different 
formalisms  are  used  for  the  modeling  of  timed  systems,  we  have  shown  that 
a  quite  general  principle  for  the  application  of  partial  order  reduction  can 
be  found.  Algorithms  for  a  partial  order  state  space  exploration  can  be 
extracted  based  on  the  particular  characteristics  of  the  chosen  model,  using 
the  same  representation  as  a  search  without  reduction  or  a  slightly  modified 
one.  Our  results  for  timed  automata,  together  with  prior  results  for  other 
timed  models  show  that  partial  order  reduction  is  a  feature  which  can  result 
in  significant  gains  when  implemented  in  a  verification  system. 
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